From 128e4af99696bcbacea066730d75a05d83446e87 Mon Sep 17 00:00:00 2001
From: Sindre Stephansen <sindre@sindrestephansen.com>
Date: Tue, 18 Oct 2022 07:44:05 +0200
Subject: [PATCH] Set up TLS to and from high-transfer

This requires the shovel and high-logstash to use TLS
---
 docker-compose.yml             |  5 ++++
 keys/.gitignore                |  6 ++++
 keys/generate-key.sh           | 55 ++++++++++++++++++++++++++++++++++
 pipelines/rabbitmq-stdout.conf |  4 +++
 rabbitmq/low-definitions.json  |  2 +-
 rabbitmq/tls.conf              |  8 +++++
 6 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 keys/.gitignore
 create mode 100755 keys/generate-key.sh
 create mode 100644 rabbitmq/tls.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index 86c0a58..2986915 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,6 +6,7 @@ services:
     command: logstash -f /pipeline.conf
     volumes:
       - "./pipelines/rabbitmq-stdout.conf:/pipeline.conf:ro"
+      - "./keys/high-transfer.p12:/keys/cert.p12:ro"
     networks:
       - high
     depends_on:
@@ -15,7 +16,11 @@ services:
     image: rabbitmq:latest
     volumes:
       - "./rabbitmq/load-definitions.conf:/etc/rabbitmq/conf.d/20-load-definitions.conf:ro"
+      - "./rabbitmq/tls.conf:/etc/rabbitmq/conf.d/30-tls.conf:ro"
       - "./rabbitmq/high-definitions.json:/etc/rabbitmq/definitions.json:ro"
+      - "./keys/ca.crt:/keys/ca.pem:ro"
+      - "./keys/high-transfer.key:/keys/key.pem:ro"
+      - "./keys/high-transfer.crt:/keys/cert.pem:ro"
     networks:
       - transfer
       - high
diff --git a/keys/.gitignore b/keys/.gitignore
new file mode 100644
index 0000000..51daf9b
--- /dev/null
+++ b/keys/.gitignore
@@ -0,0 +1,6 @@
+*.key
+*.crt
+*.csr
+*.ext
+*.srl
+*.p12
\ No newline at end of file
diff --git a/keys/generate-key.sh b/keys/generate-key.sh
new file mode 100755
index 0000000..27c9555
--- /dev/null
+++ b/keys/generate-key.sh
@@ -0,0 +1,55 @@
+#!/bin/sh
+
+SCRIPT=$(realpath "$0")
+DIR=$(dirname "$SCRIPT")
+CA="$DIR/ca"
+
+if [ ! -f "$CA.key" ]; then
+    openssl req \
+            -x509 \
+            -sha256 \
+            -days 1825 \
+            -newkey rsa:2048 \
+            -keyout "$CA.key" \
+            -out "$CA.crt"
+fi
+
+if [ -n "$1" ]; then
+    FILE="$DIR/$1"
+
+    echo "Generating key for $1"
+    openssl req \
+            -newkey rsa:2048 \
+            -nodes \
+            -keyout "$FILE.key" \
+            -out "$FILE.csr"
+
+    echo ""
+
+    cat <<EOF > "$FILE.ext"
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = $1
+EOF
+
+    echo ""
+    openssl x509 \
+            -req \
+            -CA "$CA.crt" \
+            -CAkey "$CA.key" \
+            -in "$FILE.csr" \
+            -out "$FILE.crt" \
+            -days 365 \
+            -CAcreateserial \
+            -extfile "$FILE.ext"
+
+    echo ""
+    echo "Creating PKCS12 archive"
+    cat "$FILE.key" "$FILE.crt" | openssl pkcs12 -export -in - -out "$FILE.p12"
+else
+    echo "USAGE: generate-key.sh KEYNAME"
+fi
diff --git a/pipelines/rabbitmq-stdout.conf b/pipelines/rabbitmq-stdout.conf
index 1825f79..6c0da44 100644
--- a/pipelines/rabbitmq-stdout.conf
+++ b/pipelines/rabbitmq-stdout.conf
@@ -4,7 +4,11 @@ input {
     queue => "to-logstash"
     user => "logstash"
     password => "logstash"
+    port => 5671
     durable => true
+    ssl => true
+    ssl_certificate_path => "/keys/cert.p12"
+    ssl_certificate_password => "high-transfer"
   }
 }
 
diff --git a/rabbitmq/low-definitions.json b/rabbitmq/low-definitions.json
index 850f150..58f1c82 100644
--- a/rabbitmq/low-definitions.json
+++ b/rabbitmq/low-definitions.json
@@ -26,7 +26,7 @@
             "value": {
                 "src-uri": "amqp://shovel:shovel@localhost",
                 "src-queue": "to-high",
-                "dest-uri": "amqp://shovel:shovel@high-transfer",
+                "dest-uri": "amqps://shovel:shovel@high-transfer:5671?cacertfile=/keys/ca.pem&certfile=/keys/cert.pem&keyfile=/keys/key.pem&verify=verify_peer&server_nameindication=high-transfer",
                 "dest-exchange": "from-low",
                 "ack-mode": "on-confirm",
                 "delete-after": "never"
diff --git a/rabbitmq/tls.conf b/rabbitmq/tls.conf
new file mode 100644
index 0000000..6f8155b
--- /dev/null
+++ b/rabbitmq/tls.conf
@@ -0,0 +1,8 @@
+listeners.tcp = none
+listeners.ssl.default = 5671
+
+ssl_options.cacertfile = /keys/ca.pem
+ssl_options.certfile = /keys/cert.pem
+ssl_options.keyfile = /keys/key.pem
+ssl_options.verify = verify_peer
+ssl_options.fail_if_no_peer_cert = true
\ No newline at end of file