new file mode 100644

@@ -0,0 +1 @@

+stud

@@ -4,7 +4,7 @@

 # Dependencies:

 # ``functions`` file

 # ``BASE_SQL_CONN``

-# ``SERVICE_HOST``

+# ``SERVICE_HOST``, ``SERVICE_PROTOCOL``

 # ``SERVICE_TOKEN``

 # ``S3_SERVICE_PORT`` (template backend only)

@@ -48,10 +48,14 @@ KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}

 # Set Keystone interface configuration

 KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}

 KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}

-KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http}

+KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}

+KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}

+

+# Public facing bits

 KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}

 KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}

-KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-http}

+KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}

+KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}

 # Entry Points

@@ -88,6 +92,13 @@ function configure_keystone() {

     # Rewrite stock ``keystone.conf``

     local dburl

     database_connection_url dburl keystone

+

+    if is_service_enabled tls-proxy; then

+        # Set the service ports for a proxy to take the originals

+        iniset $KEYSTONE_CONF DEFAULT public_port $KEYSTONE_SERVICE_PORT_INT

+        iniset $KEYSTONE_CONF DEFAULT admin_port $KEYSTONE_AUTH_PORT_INT

+    fi

+

     iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN"

     iniset $KEYSTONE_CONF signing token_format "$KEYSTONE_TOKEN_FORMAT"

     iniset $KEYSTONE_CONF sql connection $dburl

@@ -213,9 +224,9 @@ create_keystone_accounts() {

         keystone endpoint-create \

             --region RegionOne \

             --service_id $KEYSTONE_SERVICE \

-            --publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0" \

-            --adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:\$(admin_port)s/v2.0" \

-            --internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0"

+            --publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0" \

+            --adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0" \

+            --internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0"

     fi

     # TODO(dtroyer): This is part of a series of changes...remove these when

@@ -268,13 +279,25 @@ function install_keystone() {

 # start_keystone() - Start running processes, including screen

 function start_keystone() {

+    # Get right service port for testing

+    local service_port=$KEYSTONE_SERVICE_PORT

+    if is_service_enabled tls-proxy; then

+        service_port=$KEYSTONE_SERVICE_PORT_INT

+    fi

+

     # Start Keystone in a screen window

     screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug"

     echo "Waiting for keystone to start..."

-    if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/ >/dev/null; do sleep 1; done"; then

+    if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s http://$SERVICE_HOST:$service_port/v2.0/ >/dev/null; do sleep 1; done"; then

       echo "keystone did not start"

       exit 1

     fi

+

+    # Start proxies if enabled

+    if is_service_enabled tls-proxy; then

+        start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT &

+        start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT &

+    fi

 }

 # stop_keystone() - Stop running processes

new file mode 100644

@@ -0,0 +1,314 @@

+# lib/tls

+# Functions to control the configuration and operation of the TLS proxy service

+

+# Dependencies:

+# !! source _before_ any services that use ``SERVICE_HOST``

+# ``functions`` file

+# ``DEST``, ``DATA_DIR`` must be defined

+# ``HOST_IP``, ``SERVICE_HOST``

+# ``KEYSTONE_TOKEN_FORMAT`` must be defined

+

+# Entry points:

+# configure_CA

+# init_CA

+

+# configure_proxy

+# start_tls_proxy

+

+# make_root_ca

+# make_int_ca

+# new_cert $INT_CA_DIR int-server "abc"

+# start_tls_proxy HOST_IP 5000 localhost 5000

+

+

+if is_service_enabled tls-proxy; then

+    # TODO(dtroyer): revisit this below after the search for HOST_IP has been done

+    TLS_IP=${TLS_IP:-$SERVICE_IP}

+

+    # Set the default ``SERVICE_PROTOCOL`` for TLS

+    SERVICE_PROTOCOL=https

+fi

+

+# Make up a hostname for cert purposes

+# will be added to /etc/hosts?

+DEVSTACK_HOSTNAME=secure.devstack.org

+DEVSTACK_CERT_NAME=devstack-cert

+DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem

+

+# CA configuration

+ROOT_CA_DIR=${ROOT_CA_DIR:-$DATA_DIR/CA/root-ca}

+INT_CA_DIR=${INT_CA_DIR:-$DATA_DIR/CA/int-ca}

+

+ORG_NAME="OpenStack"

+ORG_UNIT_NAME="DevStack"

+

+# Stud configuration

+STUD_PROTO="--tls"

+STUD_CIPHERS='TLSv1+HIGH:!DES:!aNULL:!eNULL:@STRENGTH'

+

+

+# CA Functions

+# ============

+

+# There may be more than one, get specific

+OPENSSL=${OPENSSL:-/usr/bin/openssl}

+

+# Do primary CA configuration

+function configure_CA() {

+    # build common config file

+

+    # Verify ``TLS_IP`` is good

+    if [[ -n "$HOST_IP" && "$HOST_IP" != "$TLS_IP" ]]; then

+        # auto-discover has changed the IP

+        TLS_IP=$HOST_IP

+    fi

+}

+

+# Creates a new CA directory structure

+# create_CA_base ca-dir

+function create_CA_base() {

+    local ca_dir=$1

+

+    if [[ -d $ca_dir ]]; then

+        # Bail out it exists

+        return 0

+    fi

+

+    for i in certs crl newcerts private; do

+        mkdir -p $ca_dir/$i

+    done

+    chmod 710 $ca_dir/private

+    echo "01" >$ca_dir/serial

+    cp /dev/null $ca_dir/index.txt

+}

+

+

+# Create a new CA configuration file

+# create_CA_config ca-dir common-name

+function create_CA_config() {

+    local ca_dir=$1

+    local common_name=$2

+

+    echo "

+[ ca ]

+default_ca = CA_default

+

+[ CA_default ]

+dir                     = $ca_dir

+policy                  = policy_match

+database                = \$dir/index.txt

+serial                  = \$dir/serial

+certs                   = \$dir/certs

+crl_dir                 = \$dir/crl

+new_certs_dir           = \$dir/newcerts

+certificate             = \$dir/cacert.pem

+private_key             = \$dir/private/cacert.key

+RANDFILE                = \$dir/private/.rand

+default_md              = default

+

+[ req ]

+default_bits            = 1024

+default_md              = sha1

+

+prompt                  = no

+distinguished_name      = ca_distinguished_name

+

+x509_extensions         = ca_extensions

+

+[ ca_distinguished_name ]

+organizationName        = $ORG_NAME

+organizationalUnitName  = $ORG_UNIT_NAME Certificate Authority

+commonName              = $common_name

+

+[ policy_match ]

+countryName             = optional

+stateOrProvinceName     = optional

+organizationName        = match

+organizationalUnitName  = optional

+commonName              = supplied

+

+[ ca_extensions ]

+basicConstraints        = critical,CA:true

+subjectKeyIdentifier    = hash

+authorityKeyIdentifier  = keyid:always, issuer

+keyUsage                = cRLSign, keyCertSign

+

+" >$ca_dir/ca.conf

+}

+

+# Create a new signing configuration file

+# create_signing_config ca-dir

+function create_signing_config() {

+    local ca_dir=$1

+

+    echo "

+[ ca ]

+default_ca = CA_default

+

+[ CA_default ]

+dir                     = $ca_dir

+policy                  = policy_match

+database                = \$dir/index.txt

+serial                  = \$dir/serial

+certs                   = \$dir/certs

+crl_dir                 = \$dir/crl

+new_certs_dir           = \$dir/newcerts

+certificate             = \$dir/cacert.pem

+private_key             = \$dir/private/cacert.key

+RANDFILE                = \$dir/private/.rand

+default_md              = default

+

+[ req ]

+default_bits            = 1024

+default_md              = sha1

+

+prompt                  = no

+distinguished_name      = req_distinguished_name

+

+x509_extensions         = req_extensions

+

+[ req_distinguished_name ]

+organizationName        = $ORG_NAME

+organizationalUnitName  = $ORG_UNIT_NAME Server Farm

+

+[ policy_match ]

+countryName             = optional

+stateOrProvinceName     = optional

+organizationName        = match

+organizationalUnitName  = optional

+commonName              = supplied

+

+[ req_extensions ]

+basicConstraints        = CA:false

+subjectKeyIdentifier    = hash

+authorityKeyIdentifier  = keyid:always, issuer

+keyUsage                = digitalSignature, keyEncipherment, keyAgreement

+extendedKeyUsage        = serverAuth, clientAuth

+subjectAltName          = \$ENV::SUBJECT_ALT_NAME

+

+" >$ca_dir/signing.conf

+}

+

+# Create root and intermediate CAs and an initial server cert

+# init_CA

+function init_CA {

+    # Ensure CAs are built

+    make_root_CA $ROOT_CA_DIR

+    make_int_CA $INT_CA_DIR $ROOT_CA_DIR

+

+    # Create the CA bundle

+    cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem

+

+    if [[ ! -r $DEVSTACK_CERT ]]; then

+        if [[ -n "$TLS_IP" ]]; then

+            # Lie to let incomplete match routines work

+            TLS_IP="DNS:$TLS_IP"

+        fi

+        make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"

+

+        # Create a cert bundle

+        cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT

+    fi

+}

+

+

+# make_cert creates and signs a new certificate with the given commonName and CA

+# make_cert ca-dir cert-name "common-name" ["alt-name" ...]

+function make_cert() {

+    local ca_dir=$1

+    local cert_name=$2

+    local common_name=$3

+    local alt_names=$4

+

+    # Generate a signing request

+    $OPENSSL req \

+        -sha1 \

+        -newkey rsa \

+        -nodes \

+        -keyout $ca_dir/private/$cert_name.key \

+        -out $ca_dir/$cert_name.csr \

+        -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"

+

+    if [[ -z "$alt_names" ]]; then

+        alt_names="DNS:${common_name}"

+    else

+        alt_names="DNS:${common_name},${alt_names}"

+    fi

+

+    # Sign the request valid for 1 year

+    SUBJECT_ALT_NAME="$alt_names" \

+    $OPENSSL ca -config $ca_dir/signing.conf \

+        -extensions req_extensions \

+        -days 365 \

+        -notext \

+        -in $ca_dir/$cert_name.csr \

+        -out $ca_dir/$cert_name.crt \

+        -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \

+        -batch

+}

+

+

+# Make an intermediate CA to sign everything else

+# make_int_CA ca-dir signing-ca-dir

+function make_int_CA() {

+    local ca_dir=$1

+    local signing_ca_dir=$2

+

+    # Create the root CA

+    create_CA_base $ca_dir

+    create_CA_config $ca_dir 'Intermediate CA'

+    create_signing_config $ca_dir

+

+    # Create a signing certificate request

+    $OPENSSL req -config $ca_dir/ca.conf \

+        -sha1 \

+        -newkey rsa \

+        -nodes \

+        -keyout $ca_dir/private/cacert.key \

+        -out $ca_dir/cacert.csr \

+        -outform PEM

+

+    # Sign the intermediate request valid for 1 year

+    $OPENSSL ca -config $signing_ca_dir/ca.conf \

+        -extensions ca_extensions \

+        -days 365 \

+        -notext \

+        -in $ca_dir/cacert.csr \

+        -out $ca_dir/cacert.pem \

+        -batch

+}

+

+# Make a root CA to sign other CAs

+# make_root_CA ca-dir

+function make_root_CA() {

+    local ca_dir=$1

+

+    # Create the root CA

+    create_CA_base $ca_dir

+    create_CA_config $ca_dir 'Root CA'

+

+    # Create a self-signed certificate valid for 5 years

+    $OPENSSL req -config $ca_dir/ca.conf \

+        -x509 \

+        -nodes \

+        -newkey rsa \

+        -days 21360 \

+        -keyout $ca_dir/private/cacert.key \

+        -out $ca_dir/cacert.pem \

+        -outform PEM

+}

+

+

+# Proxy Functions

+# ===============

+

+# Starts the TLS proxy for the given IP/ports

+# start_tls_proxy front-host front-port back-host back-port

+function start_tls_proxy() {

+    local f_host=$1

+    local f_port=$2

+    local b_host=$3

+    local b_port=$4

+

+    stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null

+}

@@ -26,6 +26,9 @@ source $RC_DIR/functions

 # Load local configuration

 source $RC_DIR/stackrc

+# Get some necessary configuration

+source $RC_DIR/lib/tls

+

 # The introduction of Keystone to the OpenStack ecosystem has standardized the

 # term **tenant** as the entity that owns resources.  In some places references

 # still exist to the original Nova term **project** for this use.  Also,

@@ -49,6 +52,7 @@ export OS_NO_CACHE=${OS_NO_CACHE:-1}

 # which is convenient for some localrc configurations.

 HOST_IP=${HOST_IP:-127.0.0.1}

 SERVICE_HOST=${SERVICE_HOST:-$HOST_IP}

+SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}

 # Some exercises call glance directly.  On a single-node installation, Glance

 # should be listening on HOST_IP.  If its running elsewhere, it can be set here

@@ -61,7 +65,10 @@ GLANCE_HOST=${GLANCE_HOST:-$HOST_IP}

 #

 # *NOTE*: Using the 2.0 *identity api* does not mean that compute api is 2.0.  We

 # will use the 1.1 *compute api*

-export OS_AUTH_URL=http://$SERVICE_HOST:5000/v2.0

+export OS_AUTH_URL=$SERVICE_PROTOCOL://$SERVICE_HOST:5000/v2.0

+

+# Set the pointer to our CA certificate chain.  Harmless if TLS is not used.

+export OS_CACERT=$INT_CA_DIR/ca-chain.pem

 # Currently novaclient needs you to specify the *compute api* version.  This

 # needs to match the config of your catalog returned by Keystone.

@@ -288,6 +288,7 @@ fi

 # Allow the use of an alternate hostname (such as localhost/127.0.0.1) for service endpoints.

 SERVICE_HOST=${SERVICE_HOST:-$HOST_IP}

+SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}

 # Configure services to use syslog instead of writing to individual log files

 SYSLOG=`trueorfalse False $SYSLOG`

@@ -305,6 +306,7 @@ SERVICE_TIMEOUT=${SERVICE_TIMEOUT:-60}

 # ==================

 # Get project function libraries

+source $TOP_DIR/lib/tls

 source $TOP_DIR/lib/horizon

 source $TOP_DIR/lib/keystone

 source $TOP_DIR/lib/glance

@@ -847,6 +849,12 @@ if [[ $TRACK_DEPENDS = True ]] ; then

     exit 0

 fi

+if is_service_enabled tls-proxy; then

+    configure_CA

+    init_CA

+    # Add name to /etc/hosts

+    # don't be naive and add to existing line!

+fi

 # Syslog

 # ------

@@ -923,12 +931,17 @@ screen -r $SCREEN_NAME -X hardstatus alwayslastline "$SCREEN_HARDSTATUS"

 if is_service_enabled key; then

     echo_summary "Starting Keystone"

-    configure_keystone

     init_keystone

     start_keystone

     # Set up a temporary admin URI for Keystone

-    SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0

+    SERVICE_ENDPOINT=$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0

+

+    if is_service_enabled tls-proxy; then

+        export OS_CACERT=$INT_CA_DIR/ca-chain.pem

+        # Until the client support is fixed, just use the internal endpoint

+        SERVICE_ENDPOINT=http://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT_INT/v2.0

+    fi

     # Do the keystone-specific bits from keystone_data.sh

     export OS_SERVICE_TOKEN=$SERVICE_TOKEN

@@ -6,6 +6,9 @@ RC_DIR=$(cd $(dirname "$BASH_SOURCE") && pwd)

 # Destination path for installation

 DEST=/opt/stack

+# Destination for working data

+DATA_DIR=${DEST}/data

+

 # Select the default database

 DATABASE_TYPE=mysql

@@ -62,6 +62,11 @@ if is_service_enabled horizon; then

     stop_horizon

 fi

+# Kill TLS proxies

+if is_service_enabled tls-proxy; then

+    killall stud

+fi

+

 SCSI_PERSIST_DIR=$CINDER_STATE_PATH/volumes/*

 # Get the iSCSI volumes