Fixes #34667 - Add SSL support when connecting to mqtt broker

Use of SSL can be forced either way by explicitly setting mqtt_tls setting. If unset, it gets used if certificate, private key and CA certificate are available. Currently it reuses the ssl_* set of certs smart proxy has.
theforeman · Mar 23, 2022 · 60643dd · 60643dd
1 parent 3d83435
commit 60643dd
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/lib/smart_proxy_remote_execution_ssh.rb b/lib/smart_proxy_remote_execution_ssh.rb
@@ -60,6 +60,10 @@ def validate_mqtt_settings!
 
         raise 'mqtt_broker has to be set when pull-mqtt mode is used' if Plugin.settings.mqtt_broker.nil?
         raise 'mqtt_port has to be set when pull-mqtt mode is used' if Plugin.settings.mqtt_port.nil?
+
+        if Plugin.settings.mqtt_tls.nil?
+          Plugin.settings.mqtt_tls = [:ssl_certificate, :ssl_private_key, :ssl_ca_file].all? { |key| ::Proxy::SETTINGS[key] }
+        end
       end
 
       def validate_ssh_log_level!

diff --git a/lib/smart_proxy_remote_execution_ssh/actions/pull_script.rb b/lib/smart_proxy_remote_execution_ssh/actions/pull_script.rb
@@ -82,11 +82,20 @@ def mqtt_start(otp_password)
     end
 
     def mqtt_notify(payload)
-      MQTT::Client.connect(settings.mqtt_broker, settings.mqtt_port) do |c|
+      with_mqtt_client do |c|
         c.publish(mqtt_topic, JSON.dump(payload), false, 1)
       end
     end
 
+    def with_mqtt_client(&block)
+      MQTT::Client.connect(settings.mqtt_broker, settings.mqtt_port,
+                           :ssl => settings.mqtt_tls,
+                           :cert_file => ::Proxy::SETTINGS.ssl_certificate,
+                           :key_file => ::Proxy::SETTINGS.ssl_private_key,
+                           :ca_file => ::Proxy::SETTINGS.ssl_ca_file,
+                           &block)
+    end
+
     def host_name
       alternative_names = input.fetch(:alternative_names, {})
 

diff --git a/lib/smart_proxy_remote_execution_ssh/plugin.rb b/lib/smart_proxy_remote_execution_ssh/plugin.rb
@@ -18,6 +18,7 @@ class Plugin < Proxy::Plugin
                      :cleanup_working_dirs    => true,
                      # :mqtt_broker             => nil,
                      # :mqtt_port               => nil,
+                     # :mqtt_tls                => nil,
                      :mode                    => :ssh
 
     plugin :ssh, Proxy::RemoteExecution::Ssh::VERSION