From fc0b7856273bb3ca07973e50f17d5a6f473d4f4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adam=20R=C5=AF=C5=BEi=C4=8Dka?=
 <adamruzicka@users.noreply.github.com>
Date: Wed, 6 Apr 2022 12:26:49 +0200
Subject: [PATCH] Fixes #34667 - Add SSL support when connecting to mqtt broker
 (#75)

Use of SSL can be forced either way by explicitly setting mqtt_tls
setting. If unset, it gets used if certificate, private key and CA
certificate are available. Currently it reuses the foreman_ssl_* set
of certs the smart proxy has.
---
 lib/smart_proxy_remote_execution_ssh.rb               |  4 ++++
 .../actions/pull_script.rb                            | 11 ++++++++++-
 lib/smart_proxy_remote_execution_ssh/plugin.rb        |  1 +
 settings.d/remote_execution_ssh.yml.example           |  5 +++++
 4 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/lib/smart_proxy_remote_execution_ssh.rb b/lib/smart_proxy_remote_execution_ssh.rb
index c6c2abe..ba3939e 100644
--- a/lib/smart_proxy_remote_execution_ssh.rb
+++ b/lib/smart_proxy_remote_execution_ssh.rb
@@ -60,6 +60,10 @@ def validate_mqtt_settings!
 
         raise 'mqtt_broker has to be set when pull-mqtt mode is used' if Plugin.settings.mqtt_broker.nil?
         raise 'mqtt_port has to be set when pull-mqtt mode is used' if Plugin.settings.mqtt_port.nil?
+
+        if Plugin.settings.mqtt_tls.nil?
+          Plugin.settings.mqtt_tls = [:foreman_ssl_cert, :foreman_ssl_key, :foreman_ssl_ca].all? { |key| ::Proxy::SETTINGS[key] }
+        end
       end
 
       def validate_ssh_log_level!
diff --git a/lib/smart_proxy_remote_execution_ssh/actions/pull_script.rb b/lib/smart_proxy_remote_execution_ssh/actions/pull_script.rb
index cd9beaa..413f558 100644
--- a/lib/smart_proxy_remote_execution_ssh/actions/pull_script.rb
+++ b/lib/smart_proxy_remote_execution_ssh/actions/pull_script.rb
@@ -88,11 +88,20 @@ def mqtt_cancel
     end
 
     def mqtt_notify(payload)
-      MQTT::Client.connect(settings.mqtt_broker, settings.mqtt_port) do |c|
+      with_mqtt_client do |c|
         c.publish(mqtt_topic, JSON.dump(payload), false, 1)
       end
     end
 
+    def with_mqtt_client(&block)
+      MQTT::Client.connect(settings.mqtt_broker, settings.mqtt_port,
+                           :ssl => settings.mqtt_tls,
+                           :cert_file => ::Proxy::SETTINGS.foreman_ssl_cert,
+                           :key_file => ::Proxy::SETTINGS.foreman_ssl_key,
+                           :ca_file => ::Proxy::SETTINGS.foreman_ssl_ca,
+                           &block)
+    end
+
     def host_name
       alternative_names = input.fetch(:alternative_names, {})
 
diff --git a/lib/smart_proxy_remote_execution_ssh/plugin.rb b/lib/smart_proxy_remote_execution_ssh/plugin.rb
index bce8801..024f061 100644
--- a/lib/smart_proxy_remote_execution_ssh/plugin.rb
+++ b/lib/smart_proxy_remote_execution_ssh/plugin.rb
@@ -18,6 +18,7 @@ class Plugin < Proxy::Plugin
                      :cleanup_working_dirs    => true,
                      # :mqtt_broker             => nil,
                      # :mqtt_port               => nil,
+                     # :mqtt_tls                => nil,
                      :mode                    => :ssh
 
     plugin :ssh, Proxy::RemoteExecution::Ssh::VERSION
diff --git a/settings.d/remote_execution_ssh.yml.example b/settings.d/remote_execution_ssh.yml.example
index 9d2fe3f..9a5b941 100644
--- a/settings.d/remote_execution_ssh.yml.example
+++ b/settings.d/remote_execution_ssh.yml.example
@@ -24,3 +24,8 @@
 # MQTT configuration, need to be set if mode is set to pull-mqtt
 # :mqtt_broker: localhost
 # :mqtt_port: 1883
+
+# Use of SSL can be forced either way by explicitly setting mqtt_tls setting. If
+# unset, SSL gets used if smart-proxy's foreman_ssl_cert, foreman_ssl_key and
+# foreman_ssl_ca settings are set available.
+# :mqtt_tls: