fixup! clammit: new software release

5e23b51e · Nicolas Wavrant · aef9c84f · 5e23b51e · 5e23b51e · 5e23b51e
Commit 5e23b51e authored Jul 16, 2024 by Nicolas Wavrant
6 changed files
--- a/software/clammit/buildout.hash.cfg
+++ b/software/clammit/buildout.hash.cfg
@@ -15,7 +15,7 @@

 [instance.cfg.in]
 filename = instance.cfg.in
-md5sum = 4cb16b15f88d7afd50a72fe7c0e175da
+md5sum = 37faa24668a648abe31556a36394a5da

 [clamd.conf.in]
 filename = clamd.conf.in

--- a/software/clammit/instance.cfg.in
+++ b/software/clammit/instance.cfg.in
+{% import "caucase" as caucase with context %}
+
 [buildout]

 extends =
-  {{ template_logrotate_base }}
+  {{ template_monitor }}

 parts =
  ${:clamd-parts}
  ${:freshclam-parts}
  ${:clammit-parts}
  ${:frontend-parts}
-  cron-entry-logrotate
+  monitor-base
  publish-connection-parameter

 clamd-parts =
@@ -24,6 +26,7 @@ clammit-parts =
 frontend-parts =
  frontend
  frontend-promise
+  frontend-certificate

 eggs-directory = {{ buildout['eggs-directory'] }}
 develop-eggs-directory = {{ buildout['develop-eggs-directory'] }}
@@ -40,15 +43,20 @@ cert = ${slap-connection:cert-file}
 [publish-connection-parameter]
 recipe = slapos.cookbook:publish
 url = ${frontend-config:url}
+status-url = ${:url}/clammit
+scan-url = ${:url}/clammit/scan

 [directory]
 recipe = slapos.cookbook:mkdirectory
 home = ${buildout:directory}
 etc = ${:home}/etc
+etc.certificate = ${:etc}/certificate
 etc.promise = ${:etc}/promise
 etc.run = ${:etc}/run
 etc.service = ${:etc}/service
 srv = ${:home}/srv
+srv.backup.caucased = ${:srv}/backup/caucased
+srv.caucased = ${:srv}/caucased
 tmp = ${:home}/tmp
 var = ${:home}/var
 var.clamdb = ${:var}/clamdb
@@ -150,6 +158,84 @@ path = ${directory:etc.promise}/${:_buildout_section_name_}
 hostname= ${clam-config:clammit-listen-address}
 port = ${clam-config:clammit-listen-port}

+################################################################################
+# Caucase
+################################################################################
+
+[frontend-certificate]
+key-file = ${directory:etc.certificate}/${:_buildout_section_name_}.key
+cert-file = ${directory:etc.certificate}/${:_buildout_section_name_}.crt
+common-name = ${:_buildout_section_name_}
+ca-file = ${directory:etc.certificate}/${:_buildout_section_name_}.ca.crt
+crl-file = ${directory:etc.certificate}/${:_buildout_section_name_}.crl
+
+{{
+caucase.updater(
+    prefix='frontend-certificate',
+    buildout_bin_directory=buildout['bin-directory'],
+    updater_path='${directory:etc.service}/frontend-certificate-updater',
+    url='${caucased:url}',
+    data_dir='${directory:srv}/caucase-updater',
+    crt_path='${frontend-certificate:cert-file}',
+    ca_path='${frontend-certificate:ca-file}',
+    crl_path='${frontend-certificate:crl-file}',
+    key_path='${frontend-certificate:key-file}',
+    template_csr='${frontend-certificate-prepare-csr:csr}',
+    openssl=openssl.location + "/bin",
+)}}
+
+[frontend-certificate-csr-config]
+recipe = slapos.recipe.template
+inline =
+  [req]
+  prompt = no
+  req_extensions = req_ext
+  distinguished_name = dn
+  [ dn ]
+  CN = frontend
+  [ req_ext ]
+  subjectAltName = @alt_names
+  [ alt_names ]
+  IP.1 = ${frontend-config:address}
+output = ${buildout:parts-directory}/${:_buildout_section_name_}/${:_buildout_section_name_}.txt
+
+[frontend-certificate-prepare-csr]
+recipe = plone.recipe.command
+command =
+  if [ ! -f '${:csr}' ] ; then
+   {{ openssl.location }}/bin/openssl req \
+      -newkey rsa \
+      -batch \
+      -new \
+      -sha256 \
+      -nodes \
+      -keyout /dev/null \
+      -config '${frontend-certificate-csr-config:output}' \
+      -out '${:csr}'
+  fi
+stop-on-error = true
+csr = ${directory:srv}/${:_buildout_section_name_}.csr.pem
+
+[caucased]
+port = 19980
+ip = ${instance-parameter:ipv6-random}
+netloc = [${:ip}]:${:port}
+url = http://${:netloc}/
+
+{{
+caucase.caucased(
+    prefix='caucased',
+    buildout_bin_directory=buildout['bin-directory'],
+    caucased_path='${directory:etc.service}/caucased',
+    backup_dir='${directory:srv.backup.caucased}',
+    data_dir='${directory:srv.caucased}',
+    netloc='${caucased:netloc}',
+    tmp='${directory:tmp}',
+    service_auto_approve_count=1,
+    user_auto_approve_count=0,
+    key_len=2048,
+)}}
+
 ################################################################################
 # Local frontend
 ################################################################################

--- a/software/clammit/software.cfg
+++ b/software/clammit/software.cfg
@@ -4,6 +4,7 @@ extends =
  ../../component/clammit/buildout.cfg
  ../../component/curl/buildout.cfg
  ../../component/dash/buildout.cfg
+  ../../stack/caucase/buildout.cfg
  ../../stack/haproxy/default-backend.cfg
  ../../stack/logrotate/buildout.cfg
  ../../stack/slapos.cfg
@@ -11,6 +12,7 @@ extends =

 parts =
  slapos-cookbook
+  caucase-eggs
  instance.cfg.in

 [instance.cfg.in]
@@ -30,6 +32,9 @@ context =
  key clammit_conf_path clammit.conf.in:target
  key template_logrotate_base template-logrotate-base:output
  key haproxy_conf_path stack-haproxy-default-backend-config:target
+  key template_monitor monitor2-template:output
+import-list =
+  file caucase caucase-jinja2-library:target

 [download-base]
 recipe = slapos.recipe.build:download

--- a/software/clammit/test/README.md
+++ b/software/clammit/test/README.md
+Tests for the clammit Software Release
--- a/software/clammit/test/setup.py
+++ b/software/clammit/test/setup.py
+##############################################################################
+#
+# Copyright (c) 2024 Nexedi SA and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
+from setuptools import setup, find_packages
+
+version = '0.1'
+name = 'slapos.test.clammit'
+long_description = open("README.md").read()
+
+setup(
+    name=name,
+    version=version,
+    description="Test for SlapOS' dufs",
+    long_description=long_description,
+    long_description_content_type='text/markdown',
+    maintainer="Nexedi",
+    maintainer_email="info@nexedi.com",
+    url="https://lab.nexedi.com/nexedi/slapos",
+    packages=find_packages(),
+    install_requires=[
+        'slapos.core',
+        'slapos.libnetworkcache',
+        'requests',
+    ],
+    zip_safe=True,
+    test_suite='test',
+)
--- a/software/clammit/test/test.py
+++ b/software/clammit/test/test.py
+##############################################################################
+#
+# Copyright (c) 2024 Nexedi SA and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
+
+import contextlib
+import io
+import os
+import pathlib
+import subprocess
+import tempfile
+import urllib.parse
+
+import requests
+
+from slapos.testing.testcase import makeModuleSetUpAndTestCaseClass
+
+setUpModule, SlapOSInstanceTestCase = makeModuleSetUpAndTestCaseClass(
+  os.path.abspath(
+    os.path.join(os.path.dirname(__file__), '..', 'software.cfg')))
+
+
+class TestFileServer(SlapOSInstanceTestCase):
+  def setUp(self):
+    self.connection_parameters = \
+        self.computer_partition.getConnectionParameterDict()
+    self.ca_cert = self._getCaucaseServiceCACertificate()
+
+  def _getCaucaseServiceCACertificate(self):
+    ca_cert = tempfile.NamedTemporaryFile(
+      prefix="ca.crt.pem",
+      mode="w",
+      delete=False,
+    )
+    ca_cert.write(
+      requests.get(
+        urllib.parse.urljoin(
+          self.connection_parameters['caucase-url'],
+          '/cas/crt/ca.crt.pem',
+        )).text)
+    self.addCleanup(os.unlink, ca_cert.name)
+    return ca_cert.name
+
+  def test_upload_of_files_to_clammit_for_scan(self):
+    resp = requests.get(
+      self.connection_parameters['scan-url'],
+      verify=self.ca_cert,
+    )
+
+    r = requests.post(
+      self.connection_parameters['scan-url'],
+      files={'file': 'Hello world'}
+    )
+    self.assertEqual(r.status_code, 200)
+
+    r = requests.post(
+      self.connection_parameters['scan-url'],
+      files={'file': b'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'}
+    )
+    self.assertEqual(r.status_code, 418)
+
+  def test_renew_certificate(self):
+    def _getpeercert():
+      # XXX low level way to get get the server certificate
+      with requests.Session() as session:
+        pool = session.get(
+          self.connection_parameters['public-url'],
+          verify=self.ca_cert,
+        ).raw._pool.pool
+        with contextlib.closing(pool.get()) as cnx:
+          return cnx.sock._sslobj.getpeercert()
+
+    cert_before = _getpeercert()
+    # execute certificate updater when it's time to renew certificate.
+    # use a timeout, because this service runs forever
+    subprocess.run(
+      (
+        'timeout',
+        '5',
+        'faketime',
+        '+63 days',
+        os.path.join(
+          self.computer_partition_root_path,
+          'etc/service/dufs-certificate-updater'),
+      ),
+      capture_output=not self._debug,
+    )
+
+    # reprocess instance to get the new certificate, after removing the timestamp
+    # to force execution
+    (pathlib.Path(self.computer_partition_root_path) / '.timestamp').unlink()
+    self.waitForInstance()
+
+    cert_after = _getpeercert()
+    self.assertNotEqual(cert_before['notAfter'], cert_after['notAfter'])