Fixes #34667 - Add SSL support when connecting to mqtt broker (#75)

Use of SSL can be forced either way by explicitly setting mqtt_tls setting. If unset, it gets used if certificate, private key and CA certificate are available. Currently it reuses the foreman_ssl_* set of certs the smart proxy has.
theforeman · Apr 6, 2022 · fc0b785 · fc0b785
1 parent 6f4d13b
commit fc0b785
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 1 deletion.
diff --git a/lib/smart_proxy_remote_execution_ssh.rb b/lib/smart_proxy_remote_execution_ssh.rb
@@ -60,6 +60,10 @@ def validate_mqtt_settings!
 
         raise 'mqtt_broker has to be set when pull-mqtt mode is used' if Plugin.settings.mqtt_broker.nil?
         raise 'mqtt_port has to be set when pull-mqtt mode is used' if Plugin.settings.mqtt_port.nil?
+
+        if Plugin.settings.mqtt_tls.nil?
+          Plugin.settings.mqtt_tls = [:foreman_ssl_cert, :foreman_ssl_key, :foreman_ssl_ca].all? { |key| ::Proxy::SETTINGS[key] }
+        end
       end
 
       def validate_ssh_log_level!

diff --git a/lib/smart_proxy_remote_execution_ssh/actions/pull_script.rb b/lib/smart_proxy_remote_execution_ssh/actions/pull_script.rb
@@ -88,11 +88,20 @@ def mqtt_cancel
     end
 
     def mqtt_notify(payload)
-      MQTT::Client.connect(settings.mqtt_broker, settings.mqtt_port) do |c|
+      with_mqtt_client do |c|
         c.publish(mqtt_topic, JSON.dump(payload), false, 1)
       end
     end
 
+    def with_mqtt_client(&block)
+      MQTT::Client.connect(settings.mqtt_broker, settings.mqtt_port,
+                           :ssl => settings.mqtt_tls,
+                           :cert_file => ::Proxy::SETTINGS.foreman_ssl_cert,
+                           :key_file => ::Proxy::SETTINGS.foreman_ssl_key,
+                           :ca_file => ::Proxy::SETTINGS.foreman_ssl_ca,
+                           &block)
+    end
+
     def host_name
       alternative_names = input.fetch(:alternative_names, {})
 

diff --git a/lib/smart_proxy_remote_execution_ssh/plugin.rb b/lib/smart_proxy_remote_execution_ssh/plugin.rb
@@ -18,6 +18,7 @@ class Plugin < Proxy::Plugin
                      :cleanup_working_dirs    => true,
                      # :mqtt_broker             => nil,
                      # :mqtt_port               => nil,
+                     # :mqtt_tls                => nil,
                      :mode                    => :ssh
 
     plugin :ssh, Proxy::RemoteExecution::Ssh::VERSION

diff --git a/settings.d/remote_execution_ssh.yml.example b/settings.d/remote_execution_ssh.yml.example
@@ -24,3 +24,8 @@
 # MQTT configuration, need to be set if mode is set to pull-mqtt
 # :mqtt_broker: localhost
 # :mqtt_port: 1883
+
+# Use of SSL can be forced either way by explicitly setting mqtt_tls setting. If
+# unset, SSL gets used if smart-proxy's foreman_ssl_cert, foreman_ssl_key and
+# foreman_ssl_ca settings are set available.
+# :mqtt_tls: