choria-legacy · ripienaar · Nov 22, 2019 · Nov 21, 2019
diff --git a/Gemfile b/Gemfile
@@ -1,8 +1,9 @@
 source "https://rubygems.org"
 
-gem "nats-pure", "~> 0.5"
+gem "nats-pure", "~> 0.6"
 
 group :development, :test do
+  gem "choria-mcorpc-support"
   gem "coveralls"
   gem "diplomat", "~> 2"
   gem "etcdv3", "~> 0.6.0"
@@ -11,9 +12,8 @@ group :development, :test do
   gem "jgrep", ">= 1.5.0"
   gem "json-schema-rspec"
   gem "listen", "~> 3"
-  gem "mcollective-client"
   gem "mocha"
-  gem "puppet", "~> 5.4"
+  gem "puppet", "~> 6"
   gem "rake"
   gem "rspec"
   gem "rubocop", "0.51.0"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,10 +1,14 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.6.0)
-      public_suffix (>= 2.0.2, < 4.0)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
     ast (2.4.0)
+    choria-mcorpc-support (2.20.0)
+      json (~> 2.1, >= 2.1.0)
+      systemu (~> 2.6, >= 2.6.4)
     coderay (1.1.2)
+    concurrent-ruby (1.1.5)
     coveralls (0.8.23)
       json (>= 1.8, < 3)
       simplecov (~> 0.16.1)
@@ -22,13 +26,13 @@ GEM
     etcdv3 (0.6.0)
       faraday (= 0.11.0)
       grpc (= 1.2.5)
-    facter (2.5.5)
+    facter (2.5.6)
     faraday (0.11.0)
       multipart-post (>= 1.2, < 3)
-    fast_gettext (1.1.2)
-    ffi (1.11.1)
+    fast_gettext (1.8.0)
+    ffi (1.11.2)
     formatador (0.2.5)
-    google-protobuf (3.9.1)
+    google-protobuf (3.10.1)
     googleauth (0.5.1)
       faraday (~> 0.9)
       jwt (~> 1.4)
@@ -40,7 +44,7 @@ GEM
     grpc (1.2.5)
       google-protobuf (~> 3.1)
       googleauth (~> 0.5.1)
-    guard (2.15.0)
+    guard (2.16.1)
       formatador (>= 0.2.4)
       listen (>= 2.7, < 4.0)
       lumberjack (>= 1.0.12, < 2.0)
@@ -58,75 +62,79 @@ GEM
       guard (>= 2.0.0)
       guard-compat (~> 1.0)
     hashdiff (1.0.0)
-    hiera (3.5.0)
-    jgrep (1.5.0)
+    hiera (3.6.0)
+    hocon (1.3.0)
+    httpclient (2.8.3)
+    jgrep (1.5.1)
     json (2.2.0)
     json-schema (2.8.1)
       addressable (>= 2.4)
     json-schema-rspec (0.0.4)
       json-schema (~> 2.5)
       rspec
     jwt (1.5.6)
-    listen (3.1.5)
-      rb-fsevent (~> 0.9, >= 0.9.4)
-      rb-inotify (~> 0.9, >= 0.9.7)
-      ruby_dep (~> 1.2)
+    listen (3.2.0)
+      rb-fsevent (~> 0.10, >= 0.10.3)
+      rb-inotify (~> 0.9, >= 0.9.10)
     little-plugger (1.1.4)
     locale (2.1.2)
     logging (2.2.2)
       little-plugger (~> 1.1)
       multi_json (~> 1.10)
     lumberjack (1.0.13)
-    mcollective-client (2.12.4)
-      json
-      stomp
-      systemu
-    memoist (0.16.0)
+    memoist (0.16.1)
     metaclass (0.0.4)
     method_source (0.9.2)
     mocha (1.9.0)
       metaclass (~> 0.0.1)
-    multi_json (1.13.1)
+    multi_json (1.14.1)
     multipart-post (2.1.1)
     nats-pure (0.6.2)
     nenv (0.3.0)
     notiffany (0.1.3)
       nenv (~> 0.1)
       shellany (~> 0.0)
     os (0.9.6)
-    parallel (1.17.0)
-    parser (2.6.3.0)
+    parallel (1.19.0)
+    parser (2.6.5.0)
       ast (~> 2.4.0)
     powerpack (0.1.2)
     pry (0.12.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    public_suffix (3.1.1)
-    puppet (5.5.16)
+    public_suffix (4.0.1)
+    puppet (6.11.1)
+      concurrent-ruby (~> 1.0)
+      deep_merge (~> 1.0)
       facter (> 2.0.1, < 4)
-      fast_gettext (~> 1.1.2)
+      fast_gettext (~> 1.1)
       hiera (>= 3.2.1, < 4)
+      httpclient (~> 2.8)
       locale (~> 2.1)
       multi_json (~> 1.10)
+      puppet-resource_api (~> 1.5)
+      semantic_puppet (~> 1.0)
+    puppet-resource_api (1.8.7)
+      hocon (>= 1.0)
     rainbow (2.2.2)
       rake
-    rake (12.3.3)
+    rake (13.0.1)
     rb-fsevent (0.10.3)
     rb-inotify (0.10.0)
       ffi (~> 1.0)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.2)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.4)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.0)
+      rspec-support (~> 3.9.0)
+    rspec-expectations (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.1)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.2)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.0)
     rubocop (0.51.0)
       parallel (~> 1.10)
       parser (>= 2.3.3.1, < 3.0)
@@ -135,11 +143,10 @@ GEM
       ruby-progressbar (~> 1.7)
       unicode-display_width (~> 1.0, >= 1.0.1)
     ruby-progressbar (1.10.1)
-    ruby_dep (1.5.0)
     safe_yaml (1.0.5)
     semantic_puppet (1.0.2)
     shellany (0.0.1)
-    signet (0.11.0)
+    signet (0.12.0)
       addressable (~> 2.3)
       faraday (~> 0.9)
       jwt (>= 1.5, < 3.0)
@@ -149,14 +156,13 @@ GEM
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
-    stomp (1.4.8)
     systemu (2.6.5)
     term-ansicolor (1.7.1)
       tins (~> 1.0)
     thor (0.20.3)
-    tins (1.21.1)
+    tins (1.22.2)
     unicode-display_width (1.6.0)
-    webmock (3.6.2)
+    webmock (3.7.6)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -166,6 +172,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  choria-mcorpc-support
   coveralls
   diplomat (~> 2)
   etcdv3 (~> 0.6.0)
@@ -174,10 +181,9 @@ DEPENDENCIES
   jgrep (>= 1.5.0)
   json-schema-rspec
   listen (~> 3)
-  mcollective-client
   mocha
-  nats-pure (~> 0.5)
-  puppet (~> 5.4)
+  nats-pure (~> 0.6)
+  puppet (~> 6)
   rake
   rspec
   rubocop (= 0.51.0)

diff --git a/lib/mcollective/application/choria.rb b/lib/mcollective/application/choria.rb
@@ -129,6 +129,7 @@ def show_config_command # rubocop:disable Metrics/MethodLength
         puts "      Using SRV Records: %s" % choria.should_use_srv?
         puts "              Federated: %s" % choria.federated?
         puts "             SRV Domain: %s" % choria.srv_domain
+        puts "               NATS NGS: %s" % choria.ngs?
 
         middleware_servers = choria.middleware_servers("puppet", 4222).map {|s, p| "%s:%s" % [s, p]}.join(", ")
 
@@ -168,7 +169,7 @@ def show_config_command # rubocop:disable Metrics/MethodLength
 
         puts
 
-        puts "SSL setup:"
+        puts "Security setup:"
         puts
 
         valid_ssl = choria.check_ssl_setup(false) rescue false
@@ -193,6 +194,14 @@ def show_config_command # rubocop:disable Metrics/MethodLength
           puts "      Public Cert CN: %s (%s)" % [cn, cn == choria.certname ? Util.colorize(:green, "match") : Util.colorize(:red, "does not match certname")]
         end
 
+        if choria.credential_file?
+          puts "    NATS Credentials: %s (%s)" % [
+            choria.credential_file,
+            File.exist?(choria.credential_file) ? Util.colorize(:green, "exit") : Util.colorize(:red, "does not exist")
+          ]
+          puts "         'nkeys' gem: %s" % choria.nkeys?
+        end
+
         puts
 
         puts "Active Choria configuration settings as found in configuration files:"

diff --git a/lib/mcollective/connector/nats.rb b/lib/mcollective/connector/nats.rb
@@ -74,11 +74,14 @@ def connect
           :name => @config.identity
         }
 
+        parameters[:user_credentials] = choria.credential_file if choria.credential_file?
+
         if $choria_unsafe_disable_nats_tls # rubocop:disable Style/GlobalVars
           Log.warn("Disabling TLS in NATS connector, this is not a production supported setup")
+        elsif choria.ngs?
+          configure_ngs(parameters)
         else
-          parameters[:tls] = {:context => choria.ssl_context}
-          choria.check_ssl_setup
+          configure_tls(parameters)
         end
 
         servers = server_list
@@ -93,6 +96,22 @@ def connect
         nil
       end
 
+      def configure_tls(parameters)
+        parameters[:tls] = {:context => choria.ssl_context}
+        choria.check_ssl_setup
+      end
+
+      def configure_ngs(parameters)
+        Log.debug("Disabling specific TLS during connection to NGS")
+
+        raise("nkeys rubygem is required for connections with credentials") unless choria.nkeys?
+
+        tls = OpenSSL::SSL::SSLContext.new
+        tls.ssl_version = :TLSv1_2
+
+        parameters[:tls] = {:context => tls}
+      end
+
       # Disconnects from NATS
       def disconnect
         connection.stop

diff --git a/lib/mcollective/registration/choria.rb b/lib/mcollective/registration/choria.rb