Merge pull request #248 from StackStorm/feature/rabbitmq-auth

Added support for RabbitMQ auth along with additional config options

CHANGELOG.md

@@ -39,7 +39,27 @@
 - Fixed bug where the default nginx splash page was not being removed
   on RHEL/CentOS installs. (Bugfix)
   Contributed by @nmaludy
-
+
+- Added authentication for RabbitMQ, by default.
+  The authentication options are available in the `::st2` class:
+    - `rabbitmq_username` : Username for the new RabbitMQ user (default: `st2admin`)
+    - `rabbitmq_password` : Password for the new RabbitMQ user (default: `Ch@ngMe`)
+  When upgrading to this new version, this will force a restart of all StackStorm
+  and Mistral services as the new password is applied. (Feature)
+  Contributed by @nmaludy
+
+- Remove the insecure RabbitMQ default `guest` user on RabbitMQ instances. 
+  Note: this will remove this user on new AND existing instances. (Enhancement)
+  Contributed by @nmaludy
+
+- Added support for additional RabbitMQ configuration options:
+    - `rabbitmq_hostname` : Hostname of the RabbitMQ server (default: `127.0.0.1`)
+    - `rabbitmq_port` : Port to connect to the RabbitMQ server (default: `5672`)
+    - `rabbitmq_bind_ip` : IP address to bind the RabbitMQ server to (default: `127.0.0.1`)
+    - `rabbitmq_vhost` : Virtual Host for the StackStorm content on RabbitMQ (default: `/`)
+  (Feature)
+  Contributed by @nmaludy
+
 ## 1.1.0 (Sep 07, 2018)
 
 - DEPRECATION WARNING - Dropped support for Puppet 3. (Enhancement)

Makefile

@@ -2,7 +2,7 @@ THIS_FILE := $(lastword $(MAKEFILE_LIST))
 ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
 
 .PHONY: clean
-clean: clean-kitchen clean-puppet-librarian clean-bundler
+clean: clean-kitchen clean-puppet-librarian clean-bundler clean-pkg
 
 # Clean kitchen build files
 .PHONY: clean-kitchen
@@ -26,9 +26,17 @@ clean-bundler:
 	@echo
 	@echo "== clean-bundler ======================================"
 	@echo
-	rm -rf build/kitchen/.bundle
-	rm -rf build/kitchen/vendor
-	rm -rf .bundle
-	rm -rf Gemfile.lock
-	rm -rf vendor
+	rm -rf ${ROOT_DIR}/build/kitchen/.bundle
+	rm -rf ${ROOT_DIR}/build/kitchen/vendor
+	rm -rf ${ROOT_DIR}/.bundle
+	rm -rf ${ROOT_DIR}/Gemfile.lock
+	rm -rf ${ROOT_DIR}/vendor
 	rm -rf /tmp/puppet-st2/build
+
+# Clean packages
+.PHONY: clean-pkg
+clean-pkg:
+	@echo
+	@echo "== clean-pkg ======================================"
+	@echo
+	rm -rf ${ROOT_DIR}/pkg

Vagrantfile

@@ -0,0 +1,88 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# Description:
+#   This is a Vagrant file for developers to quickly get started with development
+#   on the puppet-st2 module.
+#
+# Usage:
+#   - Install VirtualBox (https://www.virtualbox.org/manual/ch02.html)
+#     - OR Install KVM/libvirt (https://www.linuxtechi.com/install-kvm-hypervisor-on-centos-7-and-rhel-7/)
+#   - Install Vagrant (https://www.vagrantup.com/docs/installation/)
+#
+#   - Start vagrant VM
+#       vagrant up
+#
+#   - In another terminal start up the rsync-auto daemon.
+#     Now, if you make any changes the code will be copied into the VM. This way you can
+#     re-run Puppet with your latest code without having to manually copy the code in:
+#       vagrant rsync-auto
+#
+#   - Login to vagrant VM
+#       vagrant ssh
+#
+#   - Fix sudoers directory
+#       sudo chmod 4400 -R /etc/sudoers.d
+#
+#   - Run puppet to install StackStorm
+#       sudo su -
+#       puppet apply -e "include ::st2::profile::fullinstall"
+#
+#   - Keep editing files locally and re-running puppet with the command above
+
+# hostname of the VM
+hostname   = ENV['HOSTNAME'] ? ENV['HOSTNAME'] : 'puppet-st2-vagrant'
+
+# We also support the :libvirt provider for CentOS / RHEL folks
+provider   = ENV['PROVIDER'] ? ENV['PROVIDER'] : :libvirt
+
+# The following boxes will work for both :virtualbox and :libvirt providers
+#  - centos/6
+#  - centos/7
+#  - generic/1404
+#  - generic/1604
+box        = ENV['BOX'] ? ENV['BOX'] : 'centos/7'
+
+# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
+VAGRANTFILE_API_VERSION = "2"
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  config.vm.define "st2" do |st2|
+    # Box details
+    st2.vm.box = "#{box}"
+    st2.vm.hostname = "#{hostname}"
+
+    # Box Specifications
+    if provider == :virtualbox
+      st2.vm.provider :virtualbox do |vb|
+        vb.name = "#{hostname}"
+        vb.memory = 2048
+        vb.cpus = 2
+        vb.customize [ "modifyvm", :id, "--uartmode1", "disconnected" ]
+      end
+    elsif provider == :libvirt
+      st2.vm.provider :libvirt do |lv|
+        lv.host = "#{hostname}"
+        lv.memory = 2048
+        lv.cpus = 2
+        lv.uri = "qemu:///system"
+        lv.storage_pool_name = "images"
+      end
+    else
+      raise RuntimeError.new("Unsupported provider: #{provider}")
+    end
+
+    # sync code into box for development
+    # To setup automatic rsyncing, in another shell session you need to run:
+    #   vagrant rsync-auto
+    #
+    # https://www.vagrantup.com/docs/cli/rsync-auto.html
+    st2.vm.synced_folder ".", "/vagrant", type: 'rsync', rsync__auto: true
+
+    # Start shell provisioning.
+    st2.vm.provision "shell" do |s|
+      s.path = "build/scripts/install_puppet.sh"
+      s.privileged = false
+    end
+  end
+end

build/scripts/ci_docker_unit.sh

@@ -2,6 +2,8 @@
 set -e
 set -o xtrace
 
+export CHECK="${CHECK:-syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop parallel_spec}"
+
 docker build -t stackstorm/puppet-st2-$TEST_NAME -f build/$TEST_NAME/Dockerfile .
 docker run -dit --name stackstorm-puppet-st2-$TEST_NAME stackstorm/puppet-st2-$TEST_NAME
 docker exec stackstorm-puppet-st2-$TEST_NAME bash -l -c "bundle exec rake $CHECK"

build/scripts/ci_pdk_unit.sh

@@ -2,4 +2,7 @@
 set -e
 set -o xtrace
 
+export CHECK="${CHECK:-syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop parallel_spec}"
+
+bundle install --without system_tests
 bundle exec rake $CHECK

build/scripts/install_puppet.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# install puppet
+curl -sSL https://raw.githubusercontent.com/nmaludy/puppet-install-shell/master/install_puppet_6_agent.sh | sudo bash -s
+
+# install librarian-puppet
+sudo /opt/puppetlabs/puppet/bin/gem install librarian-puppet
+
+# Install git
+sudo yum -y install git
+
+# Install puppet module dependencies
+sudo -i bash -c "pushd /vagrant/build/centos7-puppet6 && /opt/puppetlabs/puppet/bin/librarian-puppet install --verbose --path=/etc/puppetlabs/code/modules"
+
+# Create symlink for the st2/ puppet module in the Pupept code directory.
+# This allows us to make changes locally, outside of the VM then automatically available
+# within the VM so you can run `puppet agent -t` and it will just work!
+#
+# FYI the local puppet-st2/ directory is automatically mounted as /vagrant
+#     inside the vagrant VM when it comes up, that's why we're linking /vagrant as st2/
+sudo ln -s /vagrant /etc/puppetlabs/code/modules/st2

lib/puppet/functions/st2/urlencode.rb

@@ -0,0 +1,11 @@
+require 'cgi'
+
+Puppet::Functions.create_function(:'st2::urlencode') do
+  dispatch :urlencode do
+    param 'String', :url
+  end
+
+  def urlencode(url)
+    CGI.escape(url)
+  end
+end

manifests/init.pp

@@ -169,6 +169,12 @@
   $datastore_keys_dir       = $::st2::params::datstore_keys_dir,
   $datastore_key_path       = "${::st2::params::datstore_keys_dir}/datastore_key.json",
   $nginx_manage_repo        = true,
+  $rabbitmq_username        = $::st2::params::rabbitmq_username,
+  $rabbitmq_password        = $::st2::params::rabbitmq_password,
+  $rabbitmq_hostname        = $::st2::params::rabbitmq_hostname,
+  $rabbitmq_port            = $::st2::params::rabbitmq_port,
+  $rabbitmq_bind_ip         = $::st2::params::rabbitmq_bind_ip,
+  $rabbitmq_vhost           = $::st2::params::rabbitmq_vhost,
   $timersengine_enabled     = $::st2::params::st2timersengine_enabled,
   $timersengine_timezone    = $::st2::params::st2timersengine_timezone,
   $chatops_adapter          = $::st2::params::chatops_adapter,
@@ -186,7 +192,6 @@
   $nodejs_version           = undef,
   $nodejs_manage_repo       = true,
 ) inherits st2::params {
-
   ########################################
   ## Control commands
   exec {'/usr/bin/st2ctl reload --register-all':

manifests/params.pp

@@ -147,9 +147,12 @@
   $mongodb_st2_roles = ['readWrite']
 
   ## RabbitMQ
-  $rabbitmq_port = 25672
-  $rabbitmq_protocol = 'tcp'
-  $rabbitmq_selinux_type = 'amqp_port_t'
+  $rabbitmq_username = $admin_username
+  $rabbitmq_password = $admin_password
+  $rabbitmq_hostname = '127.0.0.1'
+  $rabbitmq_port = 5672
+  $rabbitmq_bind_ip = '127.0.0.1'
+  $rabbitmq_vhost = '/'
 
   ## chatops default config
   $st2_chatops_dir  = '/opt/stackstorm/chatops'

manifests/profile/mistral.pp

@@ -28,11 +28,16 @@
 #  }
 #
 class st2::profile::mistral(
-  $version     = $st2::version,
-  $db_server   = '127.0.0.1',
-  $db_name     = 'mistral',
-  $db_username = 'mistral',
-  $db_password = $st2::db_password,
+  $version           = $st2::version,
+  $db_server         = '127.0.0.1',
+  $db_name           = 'mistral',
+  $db_username       = 'mistral',
+  $db_password       = $st2::db_password,
+  $rabbitmq_username = $::st2::rabbitmq_username,
+  $rabbitmq_password = $::st2::rabbitmq_password,
+  $rabbitmq_hostname = $::st2::rabbitmq_hostname,
+  $rabbitmq_port     = $::st2::rabbitmq_port,
+  $rabbitmq_vhost    = $::st2::rabbitmq_vhost,
 ) inherits st2 {
   include ::st2::params
 
@@ -65,6 +70,19 @@
     tag     => 'mistral',
   }
 
+  # URL encode the RabbitMQ password, in case it contains special characters that
+  # can mess up the URL.
+  $_rabbitmq_pass = st2::urlencode($rabbitmq_password)
+  ini_setting { 'DEFAULT_transport_url':
+    ensure  => present,
+    path    => $mistral_config,
+    section => 'DEFAULT',
+    setting => 'transport_url',
+    value   => "rabbit://${rabbitmq_username}:${_rabbitmq_pass}@${rabbitmq_hostname}:${rabbitmq_port}/${rabbitmq_vhost}",
+    tag     => 'mistral',
+  }
+
+
   # TODO add extra config params
   # https://forge.puppet.com/puppetlabs/inifile
   # create_ini_settings()

manifests/profile/rabbitmq.pp

@@ -15,24 +15,39 @@
 #
 #  include st2::profile::rabbitmq
 #
-class st2::profile::rabbitmq {
+class st2::profile::rabbitmq (
+  $username = $::st2::rabbitmq_username,
+  $password = $::st2::rabbitmq_password,
+  $port     = $::st2::rabbitmq_port,
+  $bind_ip  = $::st2::rabbitmq_bind_ip,
+  $vhost    = $::st2::rabbitmq_vhost,
+) inherits st2 {
 
-  if versioncmp($::puppetversion, '4') >= 0 {
-    # In new versions of the RabbitMQ module we need to explicitly turn off
-    # the ranch TCP settings so that Kombu can connect via AMQP
-    class { '::rabbitmq' :
-      config_ranch          => false,
-      environment_variables => {
-        'RABBITMQ_NODE_IP_ADDRESS' => '127.0.0.1',
-      },
-    }
+  # In new versions of the RabbitMQ module we need to explicitly turn off
+  # the ranch TCP settings so that Kombu can connect via AMQP
+  class { '::rabbitmq' :
+    config_ranch          => false,
+    delete_guest_user     => true,
+    port                  => $port,
+    environment_variables => {
+      'RABBITMQ_NODE_IP_ADDRESS' => $::st2::rabbitmq_bind_ip,
+    },
   }
-  else {
-    class { '::rabbitmq':
-      environment_variables => {
-        'RABBITMQ_NODE_IP_ADDRESS' => '127.0.0.1',
-      },
-    }
+  contain '::rabbitmq'
+
+  rabbitmq_user { $username:
+    admin    => true,
+    password => $password,
+  }
+
+  rabbitmq_vhost { $vhost:
+    ensure => present,
+  }
+
+  rabbitmq_user_permissions { "${username}@${vhost}":
+    configure_permission => '.*',
+    read_permission      => '.*',
+    write_permission     => '.*',
   }
 
   # RHEL needs EPEL installed prior to rabbitmq

manifests/profile/server.pp

@@ -51,6 +51,11 @@
   $ng_init                = $::st2::ng_init,
   $db_username            = $::st2::db_username,
   $db_password            = $::st2::db_password,
+  $rabbitmq_username      = $::st2::rabbitmq_username,
+  $rabbitmq_password      = $::st2::rabbitmq_password,
+  $rabbitmq_hostname      = $::st2::rabbitmq_hostname,
+  $rabbitmq_port          = $::st2::rabbitmq_port,
+  $rabbitmq_vhost         = $::st2::rabbitmq_vhost,
   $index_url              = $::st2::index_url,
 ) inherits st2 {
   include ::st2::notices
@@ -211,7 +216,7 @@
     tag     => 'st2::config',
   }
 
-  ## Database settings
+  ## Database settings (MongoDB)
   ini_setting { 'database_username':
     ensure  => present,
     path    => '/etc/st2/st2.conf',
@@ -229,6 +234,20 @@
     tag     => 'st2::config',
   }
 
+  ## Messaging Settings (RabbitMQ)
+
+  # URL encode the RabbitMQ password, in case it contains special characters that
+  # can mess up the URL in the config.
+  $_rabbitmq_pass = st2::urlencode($rabbitmq_password)
+  ini_setting { 'messaging_url':
+    ensure  => present,
+    path    => '/etc/st2/st2.conf',
+    section => 'messaging',
+    setting => 'url',
+    value   => "amqp://${rabbitmq_username}:${_rabbitmq_pass}@${rabbitmq_hostname}:${rabbitmq_port}/${rabbitmq_vhost}",
+    tag     => 'st2::config',
+  }
+
   ## Notifier Settings
   ini_setting { 'notifier_logging':
     ensure  => present,