Artemis auth (#8)

* add Artemis auth test

* deploy a hacked truststore

* ensure artemis DN has spaces, otherwise Java hates us

playbooks/deploy.yaml

@@ -10,6 +10,7 @@
     candlepin_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
     candlepin_tomcat_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}.key"
     candlepin_tomcat_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}.crt"
+    candlepin_client_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}-client.key"
     candlepin_client_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}-client.crt"
     postgresql_databases:
     - name: candlepin

roles/candlepin/tasks/artemis.yml

@@ -1,6 +1,6 @@
 ---
 - name: Extract the DN from the client certificate
-  ansible.builtin.command: "openssl x509 -in {{ candlepin_client_certificate }} -noout -subject -nameopt rfc2253"
+  ansible.builtin.command: "openssl x509 -in {{ candlepin_client_certificate }} -noout -subject -nameopt rfc2253,sep_comma_plus_space"
   register: openssl_response
 
 - name: Set candlepin_artemis_client_dn

roles/candlepin/tasks/certs.yml

@@ -10,6 +10,17 @@
     other_certificates: "{{ candlepin_ca_certificate }}"
     state: present
 
+- name: Generate truststore
+  community.crypto.openssl_pkcs12:
+    action: export
+    passphrase: "{{ candlepin_keystore_password }}"
+    path: "/root/candlepin.truststore"
+    friendly_name: 'artemis-client'
+    privatekey_path: "{{ candlepin_client_key }}"
+    certificate_path: "{{ candlepin_client_certificate }}"
+    other_certificates: "{{ candlepin_ca_certificate }}"
+    state: present
+
 - name: Create the podman secret for Candlepin CA certificate
   containers.podman.podman_secret:
     name: candlepin-ca-cert
@@ -28,6 +39,12 @@
     path: "/root/candlepin.keystore"
     state: present
 
+- name: Create the podman secret for Tomcat truststore
+  containers.podman.podman_secret:
+    name: candlepin-tomcat-truststore
+    path: "/root/candlepin.truststore"
+    state: present
+
 - name: Create the podman secret for the keystore password
   containers.podman.podman_secret:
     name: candlepin-tomcat-keystore-password

roles/candlepin/templates/broker.xml.j2

@@ -10,7 +10,7 @@
 
         <acceptors>
             <acceptor name="in-vm">vm://0</acceptor>
-            <acceptor name="stomp">tcp://localhost:61613?protocols=STOMP;useEpoll=false;sslEnabled=true;keyStorePath=/etc/candlepin/certs/keystore;keyStorePassword={{ candlepin_keystore_password }};needClientAuth=true</acceptor>
+            <acceptor name="stomp">tcp://localhost:61613?protocols=STOMP;useEpoll=false;sslEnabled=true;trustStorePath=/etc/candlepin/certs/truststore;trustStorePassword={{ candlepin_keystore_password }};keyStorePath=/etc/candlepin/certs/keystore;keyStorePassword={{ candlepin_keystore_password }};needClientAuth=true</acceptor>
         </acceptors>
 
         <security-enabled>true</security-enabled>

roles/candlepin/templates/candlepin.container.j2

@@ -24,6 +24,7 @@ Volume=/var/log/tomcat:/var/log/tomcat:Z
 Secret=candlepin-ca-cert,target=/etc/candlepin/certs/candlepin-ca.crt,mode=0440
 Secret=candlepin-ca-key,target=/etc/candlepin/certs/candlepin-ca.key,mode=0440
 Secret=candlepin-tomcat-keystore,target=/etc/candlepin/certs/keystore,mode=0440
+Secret=candlepin-tomcat-truststore,target=/etc/candlepin/certs/truststore,mode=0440
 
 [Install]
 # Start by default on boot

tests/candlepin_test.py

@@ -23,6 +23,11 @@ def test_artemis_port(host):
     assert candlepin.port("61613").is_reachable
 
 
+def test_artemis_auth(host):
+    cmd = host.run('echo "" | openssl s_client -CAfile /root/certificates/certs/ca.crt -cert /root/certificates/certs/quadlet.example.com-client.crt -key /root/certificates/private/quadlet.example.com-client.key -connect localhost:61613')
+    assert cmd.succeeded, f"exit: {cmd.rc}\n\nstdout:\n{cmd.stdout}\n\nstderr:\n{cmd.stderr}"
+
+
 def test_certs_users_file(host):
     file = host.file("/etc/tomcat/cert-users.properties")
     assert file.exists