Extend SSL/TLS support to st2stream and st2api

StackStorm · May 24, 2024 · be10491 · be10491
1 parent 8513165
commit be10491
Show file tree

Hide file tree

Showing 6 changed files with 70 additions and 6 deletions.
diff --git a/st2api/st2api/app.py b/st2api/st2api/app.py
@@ -47,6 +47,7 @@ def setup_app(config=None):
             "name": "api",
             "listen_host": cfg.CONF.api.host,
             "listen_port": cfg.CONF.api.port,
+            "listen_ssl": cfg.CONF.api.use_ssl,
             "type": "active",
         }
 

diff --git a/st2api/st2api/cmd/api.py b/st2api/st2api/cmd/api.py
@@ -54,6 +54,7 @@ def _setup():
         "name": "api",
         "listen_host": cfg.CONF.api.host,
         "listen_port": cfg.CONF.api.port,
+        "listen_ssl": cfg.CONF.api.use_ssl,
         "type": "active",
     }
 
@@ -76,13 +77,34 @@ def _setup():
 def _run_server():
     host = cfg.CONF.api.host
     port = cfg.CONF.api.port
+    use_ssl = cfg.CONF.api.use_ssl
 
-    LOG.info("(PID=%s) ST2 API is serving on http://%s:%s.", os.getpid(), host, port)
+    cert_file_path = os.path.realpath(cfg.CONF.api.cert)
+    key_file_path = os.path.realpath(cfg.CONF.api.key)
+
+    if use_ssl and not os.path.isfile(cert_file_path):
+        raise ValueError('Certificate file "%s" doesn\'t exist' % (cert_file_path))
+
+    if use_ssl and not os.path.isfile(key_file_path):
+        raise ValueError('Private key file "%s" doesn\'t exist' % (key_file_path))
+
+    LOG.info(
+        "(PID=%s) ST2 API is serving on %s://%s:%s.",
+        os.getpid(),
+        "https" if use_ssl else "http",
+        host,
+        port,
+    )
 
     max_pool_size = eventlet.wsgi.DEFAULT_MAX_SIMULTANEOUS_REQUESTS
     worker_pool = eventlet.GreenPool(max_pool_size)
     sock = eventlet.listen((host, port))
 
+    if use_ssl:
+        sock = eventlet.wrap_ssl(
+            sock, certfile=cert_file_path, keyfile=key_file_path, server_side=True
+        )
+
     wsgi.server(
         sock, app.setup_app(), custom_pool=worker_pool, log=LOG, log_output=False
     )

diff --git a/st2api/st2api/config.py b/st2api/st2api/config.py
@@ -76,7 +76,7 @@ def _register_app_opts(ignore_errors=False):
         pecan_opts, group="api_pecan", ignore_errors=ignore_errors
     )
 
-    logging_opts = [
+    api_opts = [
         cfg.BoolOpt("debug", default=False),
         cfg.StrOpt(
             "logging",
@@ -89,8 +89,17 @@ def _register_app_opts(ignore_errors=False):
             help="Maximum limit (page size) argument which can be "
             "specified by the user in a query string.",
         ),
+        cfg.BoolOpt("use_ssl", default=False, help="Specify to enable SSL / TLS mode"),
+        cfg.StrOpt(
+            "cert",
+            default="/etc/apache2/ssl/mycert.crt",
+            help='Path to the SSL certificate file. Only used when "use_ssl" is specified.',
+        ),
+        cfg.StrOpt(
+            "key",
+            default="/etc/apache2/ssl/mycert.key",
+            help='Path to the SSL private key file. Only used when "use_ssl" is specified.',
+        ),
     ]
 
-    common_config.do_register_opts(
-        logging_opts, group="api", ignore_errors=ignore_errors
-    )
+    common_config.do_register_opts(api_opts, group="api", ignore_errors=ignore_errors)
diff --git a/st2stream/st2stream/app.py b/st2stream/st2stream/app.py
@@ -52,6 +52,7 @@ def setup_app(config={}):
             "name": "stream",
             "listen_host": cfg.CONF.stream.host,
             "listen_port": cfg.CONF.stream.port,
+            "listen_ssl": cfg.CONF.stream.use_ssl,
             "type": "active",
         }
         # This should be called in gunicorn case because we only want

diff --git a/st2stream/st2stream/cmd/api.py b/st2stream/st2stream/cmd/api.py
@@ -60,6 +60,7 @@ def _setup():
         "name": "stream",
         "listen_host": cfg.CONF.stream.host,
         "listen_port": cfg.CONF.stream.port,
+        "listen_ssl": cfg.CONF.stream.use_ssl,
         "type": "active",
     }
     common_setup(
@@ -78,15 +79,34 @@ def _setup():
 def _run_server():
     host = cfg.CONF.stream.host
     port = cfg.CONF.stream.port
+    use_ssl = cfg.CONF.stream.use_ssl
+
+    cert_file_path = os.path.realpath(cfg.CONF.stream.cert)
+    key_file_path = os.path.realpath(cfg.CONF.stream.key)
+
+    if use_ssl and not os.path.isfile(cert_file_path):
+        raise ValueError('Certificate file "%s" doesn\'t exist' % (cert_file_path))
+
+    if use_ssl and not os.path.isfile(key_file_path):
+        raise ValueError('Private key file "%s" doesn\'t exist' % (key_file_path))
 
     LOG.info(
-        "(PID=%s) ST2 Stream API is serving on http://%s:%s.", os.getpid(), host, port
+        "(PID=%s) ST2 Stream API is serving on %s://%s:%s.",
+        os.getpid(),
+        "https" if use_ssl else "http",
+        host,
+        port,
     )
 
     max_pool_size = eventlet.wsgi.DEFAULT_MAX_SIMULTANEOUS_REQUESTS
     worker_pool = eventlet.GreenPool(max_pool_size)
     sock = eventlet.listen((host, port))
 
+    if use_ssl:
+        sock = eventlet.wrap_ssl(
+            sock, certfile=cert_file_path, keyfile=key_file_path, server_side=True
+        )
+
     def queue_shutdown(signal_number, stack_frame):
         deregister_service(STREAM)
         eventlet.spawn_n(

diff --git a/st2stream/st2stream/config.py b/st2stream/st2stream/config.py
@@ -66,6 +66,17 @@ def _register_app_opts(ignore_errors=False):
             default="/etc/st2/logging.stream.conf",
             help="location of the logging.conf file",
         ),
+        cfg.BoolOpt("use_ssl", default=False, help="Specify to enable SSL / TLS mode"),
+        cfg.StrOpt(
+            "cert",
+            default="/etc/apache2/ssl/mycert.crt",
+            help='Path to the SSL certificate file. Only used when "use_ssl" is specified.',
+        ),
+        cfg.StrOpt(
+            "key",
+            default="/etc/apache2/ssl/mycert.key",
+            help='Path to the SSL private key file. Only used when "use_ssl" is specified.',
+        ),
     ]
 
     common_config.do_register_opts(