software/simpleran: publish public link to websocket

Publish public link to websocket served by our CDN
so that clients can connect to the websocket using
Amarisoft GUI

software/simpleran/buildout.hash.cfg

@@ -16,7 +16,7 @@
 
 [template]
 filename = instance.cfg
-md5sum = 770fccd0e4c5ad30e9637fd643a126c5
+md5sum = 6fa56c5dbcacde8625a2a7f0584df281
 
 [template-ors]
 filename = instance-ors.cfg
@@ -28,7 +28,7 @@ md5sum = 8d6eb90fc1191c3a1b24200df2ebf4fa
 
 [ru_amarisoft-stats.jinja2.py]
 _update_hash_filename_ = ru/amarisoft-stats.jinja2.py
-md5sum = 674dcc250c0b6bb43d8546624552fc5d
+md5sum = 31b609f80a82b6efed963161c8907878
 
 [ru_amarisoft-rf-info.jinja2.py]
 _update_hash_filename_ = ru/amarisoft-rf-info.jinja2.py
@@ -36,7 +36,7 @@ md5sum = ab666fdfadbfc7d8a16ace38d295c883
 
 [ru_libinstance.jinja2.cfg]
 _update_hash_filename_ = ru/libinstance.jinja2.cfg
-md5sum = 7613c4decd4468ab5d826421aef955f1
+md5sum = d88a056c8a5e56cbead61f00df4a194c
 
 [ru_sdr_libinstance.jinja2.cfg]
 _update_hash_filename_ = ru/sdr/libinstance.jinja2.cfg
@@ -60,7 +60,7 @@ md5sum = 52da9fe3a569199e35ad89ae1a44c30e
 
 [template-enb]
 _update_hash_filename_ = instance-enb.jinja2.cfg
-md5sum = a05c6ed1830d77a9faea67ac54cf9c2f
+md5sum = 6a3cbb7883eb1bf475d42587f5985984
 
 [template-ors-enb]
 _update_hash_filename_ = instance-ors-enb.jinja2.cfg
@@ -88,7 +88,7 @@ md5sum = dd50b4e4780830ddbde28b84af118f18
 
 [enb.jinja2.cfg]
 filename = config/enb.jinja2.cfg
-md5sum = 2c49e14af6869387880d5e8e1c0ede64
+md5sum = 9c77f0565080e7b0322d9d5fcf4818b0
 
 [drb_lte.jinja2.cfg]
 filename = config/drb_lte.jinja2.cfg
@@ -141,3 +141,7 @@ md5sum = f02fbfd31ba89cf243e2752adcae28d9
 [frequency_outofbounds_promise]
 _update_hash_filename_ = promise/check_frequency_outofbounds.py
 md5sum = 7c83eab2df4f5a5d519e3eb16e4077a3
+
+[nginx_conf.in]
+_update_hash_filename_ = config/nginx_conf.in
+md5sum = e2496564695fb76b242c3e0f8d0ab6c3

software/simpleran/config/enb.jinja2.cfg

@@ -145,15 +145,11 @@
 {# instantiate radio units #}
 {{ slaplte.ru_config(iru_dict, slapparameter_dict, True) }}
 
-  {%- if slapparameter_dict.get('websocket_password', '') %}
-  com_addr: "[{{ gtp_addr_v6 }}]:{{ slapparameter_dict.com_ws_port }}",
+  com_addr: "{{ slapparameter_dict.com_addr }}:{{ slapparameter_dict.com_ws_port }}",
   com_auth: {
-    password: "{{ slapparameter_dict['websocket_password'] }}",
-    unsecure: true,
+    password: "{{ websocket_password }}",
+    unsecure: false,
   },
-  {%- else %}
-  com_addr: "{{ slapparameter_dict.com_addr }}:{{ slapparameter_dict.com_ws_port }}",
-  {%- endif %}
 
 {%- if slapparameter_dict.get('mbmsgw_addr', '') %}
   mbmsgw_addr: "{{ slapparameter_dict.mbmsgw_addr }}",

software/simpleran/config/nginx_conf.in

+worker_processes {{ params['nb-workers'] }};
+
+pid {{ params['path-pid'] }};
+error_log {{ params['path-error-log'] }};
+
+daemon off;
+
+events {
+  worker_connections 1024;
+  accept_mutex off;
+}
+
+http {
+    include {{ mime }};
+    default_type  application/octet-stream;
+    types_hash_bucket_size 64;
+    access_log {{ params['path-access-log'] }} combined;
+
+    upstream enb_websocket {
+        server {{ params['websocket-ip'] }}:{{ params['websocket-port'] }};
+    }
+    server {
+        listen [{{ params['ip'] }}]:{{ params['port'] }} ssl http2;
+        server_name _;
+
+        ssl_certificate {{ ca['cert-file'] }};
+        ssl_certificate_key {{ ca['key-file'] }};
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;
+        ssl_session_tickets off;
+        ssl_protocols TLSv1.3;
+        ssl_prefer_server_ciphers off;
+
+        keepalive_timeout 5;
+        client_body_temp_path {{ tempdir['client-body-temp-path'] }};
+        proxy_temp_path {{ tempdir['proxy-temp-path'] }};
+        fastcgi_temp_path {{ tempdir['fastcgi-temp-path'] }};
+        uwsgi_temp_path {{ tempdir['uwsgi-temp-path'] }};
+        scgi_temp_path {{ tempdir['scgi-temp-path'] }};
+
+        location /{{ params['websocket-path'] }} {
+            proxy_http_version 1.1;
+            proxy_pass http://enb_websocket/;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
+            # VNC connection timeout
+            proxy_read_timeout 61s;
+
+            # Disable cache
+            proxy_buffering off;
+        }
+
+    }
+}

software/simpleran/instance-enb-input-schema.json

@@ -165,11 +165,6 @@
       "type": "object",
       "default": {}
     },
-    "websocket_password": {
-      "title": "Websocket password",
-      "description": "Activates websocket for remote control and sets password",
-      "type": "string"
-    },
     "log_phy_debug": {
       "title": "Physical layer log debug",
       "description": "Enable debug mode for physical layer logs",

software/simpleran/instance-enb.jinja2.cfg

@@ -32,6 +32,9 @@ parts =
   check-xlog-fluentbit-forward-host.py
   check-xlog-fluentbit-health.py
 {%- endif %}
+  nginx-launcher
+  nginx-graceful
+  websocket-promise
   check-baseband-latency.py
   monitor-base
   publish-connection-information
@@ -80,6 +83,8 @@ ip = ${monitor-instance-parameter:monitor-httpd-ipv6}
 recipe = slapos.cookbook:mkdirectory
 software = {{ buildout_directory }}
 home = ${buildout:directory}
+ca-dir = ${:srv}/ssl
+websocket-conf = ${:etc}/websocket
 var = ${:home}/var
 etc = ${:home}/etc
 bin = ${:home}/bin
@@ -152,16 +157,11 @@ drb_stats_logspec =
 {%- endif %}
 rotatespec = 100MB.9
 logspec = ${:stats_logspec} ${:drb_stats_logspec}
-{%- if slapparameter_dict.get("websocket_password", "") %}
-websock = ws://[{{my_ipv6}}]:9001
-{%- else %}
-websock = ws://127.0.1.2:9001
-{%- endif %}
 xamari = {{ buildout_directory }}/bin/xamari
 logfile = ${monitor-directory:public}/enb.xlog
 inline =
   #!/bin/sh
-  exec ${:xamari} xlog --rotate ${:rotatespec} ${:websock} ${:logfile} ${:logspec}
+  exec ${:xamari} xlog --rotate ${:rotatespec} --password ${websocket-password:passwd} ws://127.0.1.2:9001 ${:logfile} ${:logspec}
 
 [xamari-xlog-service]
 recipe = slapos.cookbook:wrapper
@@ -291,6 +291,7 @@ extra-context =
     key icell_dict     :icell_dict
     key ipeer_dict     :ipeer_dict
     key ipeercell_dict :ipeercell_dict
+    key websocket_password websocket-password:passwd
 iru_dict       = {{ dumps(rulib.iru_dict) }}
 icell_dict     = {{ dumps(rulib.icell_dict) }}
 ipeer_dict     = {{ dumps(ipeer_dict) }}
@@ -300,9 +301,9 @@ ipeercell_dict = {{ dumps(ipeercell_dict) }}
 [publish-connection-information]
 <= monitor-publish
 recipe = slapos.cookbook:publish.serialised
-{%- if slapparameter_dict.get("websocket_password", "") %}
-websocket_url = ws://[{{my_ipv6}}]:9001
-{%- endif %}
+websocket-address = ${request-slave-frontend:connection-domain}/${nginx-params:websocket-path}
+websocket-port = 443
+websocket-password = ${websocket-password:passwd}
 enb-ipv6 = {{ my_ipv6 }}
 enb-ipv4 = {{ lan_ipv4 }}
 amarisoft-version = {{ lte_version }}
@@ -336,3 +337,109 @@ config-testing = {{ slapparameter_dict.get("testing", False) }}
 config-amarisoft-stats-log = ${ru_amarisoft-stats-template:log-output}
 config-stats-period = {{ slapparameter_dict.get("enb_stats_fetch_period", 60) }}
 config-min-rxtx-delay = {{ slapparameter_dict.get("min_rxtx_delay", 0) }}
+
+[websocket-password]
+recipe = slapos.cookbook:generate.password
+storage-path = ${directory:etc}/.websocket_pwd
+
+[request-slave-frontend-base]
+recipe = slapos.cookbook:requestoptional
+server-url = ${slap-connection:server-url}
+key-file = ${slap-connection:key-file}
+cert-file = ${slap-connection:cert-file}
+computer-id = ${slap-connection:computer-id}
+partition-id = ${slap-connection:partition-id}
+shared = true
+config-https-only = True
+config-type = websocket
+config-websocket-path-list = ${nginx-params:websocket-path}
+config-url = https://[${nginx-params:ip}]:${nginx-params:port}
+return = secure_access domain
+
+[request-slave-frontend]
+<= request-slave-frontend-base
+software-url = http://git.erp5.org/gitweb/slapos.git/blob_plain/HEAD:/software/apache-frontend/software.cfg
+software-type = default
+name = Websocket Frontend
+
+[nginx-tempdir]
+recipe = slapos.cookbook:mkdirectory
+tmp = ${buildout:directory}/tmp
+client-body-temp-path = ${:tmp}/client_body_temp_path
+proxy-temp-path = ${:tmp}/proxy_temp_path
+fastcgi-temp-path = ${:tmp}/fastcgi_temp_path
+uwsgi-temp-path = ${:tmp}/uwsgi_temp_path
+scgi-temp-path = ${:tmp}/scgi_temp_path
+
+[nginx-launcher]
+recipe = slapos.cookbook:wrapper
+command-line = ${ca-websocket:executable} -c ${nginx-config:output}
+wrapper-path = ${directory:services}/nginx
+
+[nginx-config]
+recipe = slapos.recipe.template:jinja2
+url = {{ nginx_template }}
+output = ${directory:etc}/nginx.conf
+context =
+    section params nginx-params
+    section ca ca-websocket
+    section tempdir nginx-tempdir
+    raw mime {{ nginx_mime }}
+
+[nginx-params]
+path-pid = ${directory:run}/nginx.pid
+path-error-log = ${directory:log}/nginx-error.log
+path-access-log = ${directory:log}/nginx-access.log
+ip = {{ my_ipv6 }}
+port = 6080
+websocket-ip = 127.0.1.2
+websocket-port = 9001
+websocket-path = websocket
+nb-workers = 2
+
+[nginx-graceful]
+recipe = slapos.recipe.template
+output = ${directory:scripts}/nginx-graceful
+inline =
+  #!/bin/sh
+  exec kill -s SIGHUP $(cat ${nginx-params:path-pid})
+
+[certificate-authority]
+recipe = slapos.cookbook:certificate_authority
+openssl-binary = {{ openssl_executable_location }}
+ca-dir = ${directory:ca-dir}
+requests-directory = ${cadirectory:requests}
+wrapper = ${directory:bin}/certificate_authority
+ca-private = ${cadirectory:private}
+ca-certs = ${cadirectory:certs}
+ca-newcerts = ${cadirectory:newcerts}
+ca-crl = ${cadirectory:crl}
+
+[certificate-authority-service]
+recipe = slapos.cookbook:wrapper
+command-line = ${certificate-authority:wrapper}
+wrapper-path = ${directory:services}/certificate_authority
+hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
+
+[cadirectory]
+recipe = slapos.cookbook:mkdirectory
+requests = ${directory:ca-dir}/requests/
+private = ${directory:ca-dir}/private/
+certs = ${directory:ca-dir}/certs/
+newcerts = ${directory:ca-dir}/newcerts/
+crl = ${directory:ca-dir}/crl/
+
+[ca-websocket]
+<= certificate-authority
+recipe = slapos.cookbook:certificate_authority.request
+key-file = ${directory:websocket-conf}/websocket.key
+cert-file = ${directory:websocket-conf}/websocket.crt
+executable = {{ nginx_executable }}
+wrapper = ${directory:bin}/nginx-with-ca
+
+[websocket-promise]
+<= monitor-promise-base
+promise = check_socket_listening
+name = websocket_promise.py
+config-host = ${nginx-params:ip}
+config-port = ${nginx-params:port}

software/simpleran/instance-ors-enb-input-schema.json

@@ -165,9 +165,6 @@
       "type": "object",
       "default": {}
     },
-    "websocket_password": {
-      "$ref": "instance-enb-input-schema.json#/properties/websocket_password"
-    },
     "inactivity_timer": {
       "$ref": "cell/common.json#/properties/inactivity_timer",
       "default": 10000

software/simpleran/instance-ors-gnb-input-schema.json

@@ -159,9 +159,6 @@
       "type": "object",
       "default": {}
     },
-    "websocket_password": {
-      "$ref": "instance-ors-enb-input-schema.json#/properties/websocket_password"
-    },
     "inactivity_timer": {
       "$ref": "instance-ors-enb-input-schema.json#/properties/inactivity_timer"
     },

software/simpleran/instance.cfg

@@ -152,6 +152,10 @@ extra-context =
     key enb amarisoft:enb
     key sdr amarisoft:sdr
     raw enb_template   ${enb.jinja2.cfg:target}
+    raw nginx_template   ${nginx_conf.in:target}
+    raw nginx_mime   ${nginx-output:mime}
+    raw nginx_executable ${nginx-output:nginx}
+    raw openssl_executable_location ${openssl:location}/bin/openssl
     raw slaplte_template ${slaplte.jinja2:target}
     raw drb_lte_template ${drb_lte.jinja2.cfg:target}
     raw drb_nr_template  ${drb_nr.jinja2.cfg:target}

software/simpleran/ru/amarisoft-stats.jinja2.py

 #!{{ python_path }}
 import json
+import hashlib
+import hmac
 import logging
 from logging.handlers import RotatingFileHandler
 import time
@@ -21,9 +23,20 @@ class enbWebSocket:
         if {{ testing }}:
             return
 
-        self.ws_url = "ws://127.0.1.2:9001"
+        self.ws_url = "{{ ws_url }}"
+        self.ws_password = "{{ ws_password }}"
         self.ws = create_connection(self.ws_url)
 
+        data = json.loads(self.ws.recv())
+        res = hmac.new(
+          "{}:{}:{}".format(data['type'], self.ws_password, data['name']).encode(),
+          msg=data['challenge'].encode(),
+          digestmod=hashlib.sha256
+        ).hexdigest()
+        msg = {"message": "authenticate", "res": res}
+        self.ws.send(json.dumps(msg))
+        self.ws.recv()
+
     def close(self):
         if {{ testing }}:
             return

software/simpleran/ru/libinstance.jinja2.cfg

@@ -349,6 +349,8 @@ context =
   section directory directory
   key slapparameter_dict myslap:parameter_dict
   key log_file :log-output
+  raw ws_password ${websocket-password:passwd}
+  raw ws_url ws://127.0.1.2:9001
   raw stats_period {{ slapparameter_dict.get("enb_stats_fetch_period", 60) }}
   raw testing {{ testing }}
   raw python_path {{ buildout_directory}}/bin/pythonwitheggs

software/simpleran/software.cfg

@@ -13,7 +13,9 @@ extends =
   ../../component/python3/buildout.cfg
   ../../component/python-pynacl/buildout.cfg
   ../../component/bcrypt/buildout.cfg
+  ../../component/nginx/buildout.cfg
   ../../component/numpy/buildout.cfg
+  ../../component/openssl/buildout.cfg
   ../../component/pygolang/buildout.cfg
   ../../component/git/buildout.cfg
   ../../component/dnsmasq/buildout.cfg
@@ -133,6 +135,8 @@ filename = ims.jinja2.cfg
 filename = ue.jinja2.cfg
 [slaplte.jinja2]
 <= download-base
+[nginx_conf.in]
+<= download-base
 
 # Download gadget files
 [software.cfg.html]