modules/fm-orchestrator
1
0
Fork 0
mirror of https://pagure.io/fm-orchestrator.git synced 2026-02-03 05:03:43 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Remove old SSL config options.

Browse Source 
We used to do x509 authn a long time ago.  We have since stopped doing
that, but we kept all of thise confusing SSL/TLS support stuff.

This removes all that, and fixes #685.
This commit is contained in:
Ralph Bean
2017-10-03 13:23:53 -04:00
committed by Igor Gnatenko
parent eed37eced6
commit 0e9ccb1895
6 changed files with 5 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Vagrantfile vendored
View File

@@ -42,7 +42,6 @@ SCRIPT
$script_services = <<SCRIPT_SERVICES
cd /tmp/module_build_service
mbs-upgradedb > /tmp/mbs-base.out 2>&1
mbs-gencert >> /tmp/mbs-base.out 2>&1
fedmsg-relay < /dev/null >& /tmp/fedmsg-relay.out &
fedmsg-hub < /dev/null >& /tmp/fedmsg-hub.out &
mbs-frontend < /dev/null >& /tmp/mbs-frontend.out &

11
conf/config.py
View File

@@ -15,7 +15,7 @@ class BaseConfiguration(object):
SQLALCHEMY_DATABASE_URI = 'sqlite:///{0}'.format(path.join(
dbdir, 'module_build_service.db'))
SQLALCHEMY_TRACK_MODIFICATIONS = True
# Where we should run when running "manage.py runssl" directly.
# Where we should run when running "manage.py run" directly.
HOST = '0.0.0.0'
PORT = 5000
@@ -58,11 +58,6 @@ class BaseConfiguration(object):
MODULES_DEFAULT_REPOSITORY = 'git://pkgs.fedoraproject.org/modules/'
MODULES_ALLOW_REPOSITORY = False
SSL_ENABLED = True
SSL_CERTIFICATE_FILE = '/etc/module-build-service/server.crt'
SSL_CERTIFICATE_KEY_FILE = '/etc/module-build-service/server.key'
SSL_CA_CERTIFICATE_FILE = '/etc/module-build-service/cacert.pem'
ALLOWED_GROUPS = set([
'packager',
# 'modularity-wg',
@@ -137,10 +132,6 @@ class DevConfiguration(BaseConfiguration):
OIDC_CLIENT_SECRETS = path.join(confdir, 'client_secrets.json')
OIDC_REQUIRED_SCOPE = 'https://mbs.fedoraproject.org/oidc/submit-build'
SSL_CERTIFICATE_FILE = path.join(confdir, 'server.crt')
SSL_CERTIFICATE_KEY_FILE = path.join(confdir, 'server.key')
SSL_CA_CERTIFICATE_FILE = path.join(confdir, 'cacert.pem')
COPR_CONFIG = path.join(confdir, 'copr.conf')

2
docker-compose.yml
View File

@@ -3,7 +3,7 @@ services:
base:
build: .
command: bash -c "mbs-upgradedb && mbs-gencert && touch /etc/module-build-service/.ready"
command: bash -c "mbs-upgradedb && touch /etc/module-build-service/.ready"
volumes:
- ./:/tmp/module_build_service:z
- /etc/module-build-service

12
module_build_service/config.py
View File

@@ -227,18 +227,6 @@ class Config(object):
'type': bool,
'default': False,
'desc': 'Allow custom included modules repositories.'},
'ssl_certificate_file': {
'type': str,
'default': '',
'desc': ''},
'ssl_certificate_key_file': {
'type': str,
'default': '',
'desc': ''},
'ssl_ca_certificate_file': {
'type': str,
'default': '',
'desc': ''},
'allowed_groups': {
'type': set,
'default': set(['packager']),

67
module_build_service/manage.py
View File

@@ -68,27 +68,6 @@ See also:
return wrapped
def _establish_ssl_context():
if not conf.ssl_enabled:
return None
# First, do some validation of the configuration
attributes = (
'ssl_certificate_file',
'ssl_certificate_key_file',
'ssl_ca_certificate_file',
)
for attribute in attributes:
value = getattr(conf, attribute, None)
if not value:
raise ValueError("%r could not be found" % attribute)
if not os.path.exists(value):
raise OSError("%s: %s file not found." % (attribute, value))
return (os.path.abspath(conf.ssl_certificate_file),
os.path.abspath(conf.ssl_certificate_key_file))
@console_script_help
@manager.command
def upgradedb():
@@ -149,48 +128,8 @@ def build_module_locally(url, branch, local_build_nsvs=None, skiptests=False):
@console_script_help
@manager.command
def generatelocalhostcert():
""" Creates a public/private key pair for the frontend
"""
from OpenSSL import crypto
cert_key = crypto.PKey()
cert_key.generate_key(crypto.TYPE_RSA, 2048)
with open(conf.ssl_certificate_key_file, 'w') as cert_key_file:
os.chmod(conf.ssl_certificate_key_file, 0o600)
cert_key_file.write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, cert_key))
cert = crypto.X509()
msg_cert_subject = cert.get_subject()
msg_cert_subject.C = 'US'
msg_cert_subject.ST = 'MA'
msg_cert_subject.L = 'Boston'
msg_cert_subject.O = 'Development'
msg_cert_subject.CN = 'localhost'
cert.set_serial_number(random.randint(2, 99999999))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(315360000) # 10 years
cert.set_issuer(cert.get_subject())
cert.set_pubkey(cert_key)
cert_extensions = [
crypto.X509Extension(
'keyUsage', True,
'digitalSignature, keyEncipherment, nonRepudiation'),
crypto.X509Extension('extendedKeyUsage', True, 'serverAuth'),
]
cert.add_extensions(cert_extensions)
cert.sign(cert_key, 'sha256')
with open(conf.ssl_certificate_file, 'w') as cert_file:
cert_file.write(
crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
@console_script_help
@manager.command
def runssl(host=None, port=None, debug=None):
""" Runs the Flask app with the HTTPS settings configured in config.py
def run(host=None, port=None, debug=None):
""" Runs the Flask app, locally.
"""
host = host or conf.host
port = port or conf.port
@@ -198,11 +137,9 @@ def runssl(host=None, port=None, debug=None):
logging.info('Starting Module Build Service frontend')
ssl_ctx = _establish_ssl_context()
app.run(
host=host,
port=port,
ssl_context=ssl_ctx,
debug=debug
)

3
setup.py
View File

@@ -25,8 +25,7 @@ setup(name='module-build-service',
tests_require=test_requirements,
entry_points={
'console_scripts': ['mbs-upgradedb = module_build_service.manage:upgradedb',
'mbs-gencert = module_build_service.manage:generatelocalhostcert',
'mbs-frontend = module_build_service.manage:runssl',
'mbs-frontend = module_build_service.manage:run',
'mbs-manager = module_build_service.manage:manager_wrapper'],
'moksha.consumer': 'mbsconsumer = module_build_service.scheduler.consumer:MBSConsumer',
'moksha.producer': 'mbspoller = module_build_service.scheduler.producer:MBSProducer',