From 0b1891d82a421e6207361841560365b3de30c366 Mon Sep 17 00:00:00 2001
From: Hao Liu <haoli@redhat.com>
Date: Mon, 29 Aug 2022 16:06:13 -0400
Subject: [PATCH] generate complete install bundle
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

```
➜  34.213.5.206_install_bundle git:(instance-install-bundle-content) ✗ tree
.
├── install_receptor.yml
├── inventory.yml
├── receptor
│   ├── tls
│   │   ├── ca
│   │   │   └── receptor-ca.crt
│   │   ├── receptor.crt
│   │   └── receptor.key
│   └── work-public-key.pem
└── requirements.yml
```

Signed-off-by: Hao Liu <haoli@redhat.com>
---
 awx/api/views/instance_install_bundle.py | 219 ++++++++++++++++++++---
 docs/licenses/asn1.txt                   |   7 +
 docs/licenses/enum-compat.txt            |   7 +
 requirements/requirements.in             |   1 +
 requirements/requirements.txt            |   4 +
 5 files changed, 218 insertions(+), 20 deletions(-)
 create mode 100644 docs/licenses/asn1.txt
 create mode 100644 docs/licenses/enum-compat.txt

diff --git a/awx/api/views/instance_install_bundle.py b/awx/api/views/instance_install_bundle.py
index f3f017d146..ff75bfbcd2 100644
--- a/awx/api/views/instance_install_bundle.py
+++ b/awx/api/views/instance_install_bundle.py
@@ -1,19 +1,42 @@
 # Copyright (c) 2018 Red Hat, Inc.
 # All Rights Reserved.
 
+import datetime
+import io
 import os
 import tarfile
-import tempfile
+import ipaddress
 
+import asn1
 from awx.api import serializers
 from awx.api.generics import GenericAPIView, Response
 from awx.api.permissions import IsSystemAdminOrAuditor
 from awx.main import models
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.x509 import DNSName, IPAddress, ObjectIdentifier, OtherName
+from cryptography.x509.oid import NameOID
+from django.http import HttpResponse
 from django.utils.translation import gettext_lazy as _
 from rest_framework import status
-from django.http import HttpResponse
+
+# Red Hat has an OID namespace (RHANANA). Receptor has its own designation under that.
+RECEPTOR_OID = "1.3.6.1.4.1.2312.19.1"
 
 # generate install bundle for the instance
+# install bundle directory structure
+# ├── install_receptor.yml (playbook)
+# ├── inventory.ini
+# ├── receptor
+# │   ├── vars.yml
+# │   ├── tls
+# │   │   ├── ca
+# │   │   │   └── receptor-ca.crt
+# │   │   ├── receptor.crt
+# │   │   └── receptor.key
+# │   └── work-public-key.pem
+# └── requirements.yml
 class InstanceInstallBundle(GenericAPIView):
 
     name = _('Install Bundle')
@@ -31,24 +54,180 @@ class InstanceInstallBundle(GenericAPIView):
                 status=status.HTTP_400_BAD_REQUEST,
             )
 
-        # TODO: add actual data into the bundle
-        # create a named temporary file directory to store the content of the install bundle
-        with tempfile.TemporaryDirectory() as tmpdirname:
-            # create a empty file named "moc_content.txt" in the temporary directory
-            with open(os.path.join(tmpdirname, 'mock_content.txt'), 'w') as f:
-                f.write('mock content')
+        with io.BytesIO() as f:
+            with tarfile.open(fileobj=f, mode='w:gz') as tar:
+                # copy /etc/receptor/tls/ca/receptor-ca.crt to receptor/tls/ca in the tar file
+                tar.add(
+                    os.path.realpath('/etc/receptor/tls/ca/receptor-ca.crt'), arcname=f"{instance_obj.hostname}_install_bundle/receptor/tls/ca/receptor-ca.crt"
+                )
 
-            # create empty directory in temporary directory
-            os.mkdir(os.path.join(tmpdirname, 'mock_dir'))
+                # copy /etc/receptor/signing/work-public-key.pem to receptor/work-public-key.pem
+                tar.add('/etc/receptor/signing/work-public-key.pem', arcname=f"{instance_obj.hostname}_install_bundle/receptor/work-public-key.pem")
 
-            # tar.gz and create a temporary file from the temporary directory
-            # the directory will be renamed and prefixed with the hostname of the instance
-            with tempfile.NamedTemporaryFile(suffix='.tar.gz') as tmpfile:
-                with tarfile.open(tmpfile.name, 'w:gz') as tar:
-                    tar.add(tmpdirname, arcname=f"{instance_obj.hostname}_install_bundle")
+                # generate and write the receptor key to receptor/tls/receptor.key in the tar file
+                key, cert = generate_receptor_tls(instance_obj)
 
-                # read the temporary file and send it to the client
-                with open(tmpfile.name, 'rb') as f:
-                    response = HttpResponse(f.read(), status=status.HTTP_200_OK)
-                    response['Content-Disposition'] = f"attachment; filename={instance_obj.hostname}_install_bundle.tar.gz"
-                    return response
+                key_tarinfo = tarfile.TarInfo(f"{instance_obj.hostname}_install_bundle/receptor/tls/receptor.key")
+                key_tarinfo.size = len(key)
+                tar.addfile(key_tarinfo, io.BytesIO(key))
+
+                cert_tarinfo = tarfile.TarInfo(f"{instance_obj.hostname}_install_bundle/receptor/tls/receptor.crt")
+                cert_tarinfo.size = len(cert)
+                tar.addfile(cert_tarinfo, io.BytesIO(cert))
+
+                # generate and write install_receptor.yml to the tar file
+                playbook = generate_playbook().encode('utf-8')
+                playbook_tarinfo = tarfile.TarInfo(f"{instance_obj.hostname}_install_bundle/install_receptor.yml")
+                playbook_tarinfo.size = len(playbook)
+                tar.addfile(playbook_tarinfo, io.BytesIO(playbook))
+
+                # generate and write inventory.yml to the tar file
+                inventory_yml = generate_inventory_yml(instance_obj).encode('utf-8')
+                inventory_yml_tarinfo = tarfile.TarInfo(f"{instance_obj.hostname}_install_bundle/inventory.yml")
+                inventory_yml_tarinfo.size = len(inventory_yml)
+                tar.addfile(inventory_yml_tarinfo, io.BytesIO(inventory_yml))
+
+                # generate and write requirements.yml to the tar file
+                requirements_yml = generate_requirements_yml().encode('utf-8')
+                requirements_yml_tarinfo = tarfile.TarInfo(f"{instance_obj.hostname}_install_bundle/requirements.yml")
+                requirements_yml_tarinfo.size = len(requirements_yml)
+                tar.addfile(requirements_yml_tarinfo, io.BytesIO(requirements_yml))
+
+            # respond with the tarfile
+            f.seek(0)
+            response = HttpResponse(f.read(), status=status.HTTP_200_OK)
+            response['Content-Disposition'] = f"attachment; filename={instance_obj.hostname}_install_bundle.tar.gz"
+            return response
+
+
+def generate_playbook():
+    return """---
+- hosts: all
+  become: yes
+  tasks:
+    - name: Create the receptor user
+      user:
+        name: "{{ receptor_user }}"
+        shell: /bin/bash
+    - import_role:
+        name: ansible.receptor.receptor
+    - name: Install ansible-runner
+      pip:
+        name: ansible-runner
+        executable: pip3.9
+"""
+
+
+def generate_requirements_yml():
+    return """---
+collections:
+  - name: ansible.receptor     
+"""
+
+
+def generate_inventory_yml(instance_obj):
+    return f"""---
+all:
+  hosts:
+    remote-execution:
+      ansible_host: {instance_obj.hostname}
+      ansible_user: <username> # user provided
+      ansible_ssh_private_key_file: ~/.ssh/id_rsa
+      receptor_verify: true
+      receptor_tls: true
+      receptor_work_commands:
+        ansible-runner:
+          command: ansible-runner
+          params: worker
+          allowruntimeparams: true
+          verifysignature: true
+      custom_worksign_public_keyfile: receptor/work-public-key.pem
+      custom_tls_certfile: receptor/tls/receptor.crt
+      custom_tls_keyfile: receptor/tls/receptor.key
+      custom_ca_certfile: receptor/tls/ca/receptor-ca.crt
+      receptor_user: awx
+      receptor_group: awx
+      receptor_protocol: 'tcp'
+      receptor_listener: true
+      receptor_port: {instance_obj.listener_port}
+      receptor_dependencies:
+        - podman
+        - crun
+        - python39-pip
+"""
+
+
+def generate_receptor_tls(instance_obj):
+    # generate private key for the receptor
+    key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+
+    # encode receptor hostname to asn1
+    hostname = instance_obj.hostname
+    encoder = asn1.Encoder()
+    encoder.start()
+    encoder.write(hostname.encode(), nr=asn1.Numbers.UTF8String)
+    hostname_asn1 = encoder.output()
+
+    san_params = [
+        DNSName(hostname),
+        OtherName(ObjectIdentifier(RECEPTOR_OID), hostname_asn1),
+    ]
+
+    try:
+        san_params.append(IPAddress(ipaddress.IPv4Address(hostname)))
+    except ipaddress.AddressValueError:
+        pass
+
+    # generate certificate for the receptor
+    csr = (
+        x509.CertificateSigningRequestBuilder()
+        .subject_name(
+            x509.Name(
+                [
+                    x509.NameAttribute(NameOID.COMMON_NAME, hostname),
+                ]
+            )
+        )
+        .add_extension(
+            x509.SubjectAlternativeName(san_params),
+            critical=False,
+        )
+        .sign(key, hashes.SHA256())
+    )
+
+    # sign csr with the receptor ca key from /etc/receptor/ca/receptor-ca.key
+    with open('/etc/receptor/tls/ca/receptor-ca.key', 'rb') as f:
+        ca_key = serialization.load_pem_private_key(
+            f.read(),
+            password=None,
+        )
+
+    with open('/etc/receptor/tls/ca/receptor-ca.crt', 'rb') as f:
+        ca_cert = x509.load_pem_x509_certificate(f.read())
+
+    cert = (
+        x509.CertificateBuilder()
+        .subject_name(csr.subject)
+        .issuer_name(ca_cert.issuer)
+        .public_key(csr.public_key())
+        .serial_number(x509.random_serial_number())
+        .not_valid_before(datetime.datetime.utcnow())
+        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=10))
+        .add_extension(
+            csr.extensions.get_extension_for_class(x509.SubjectAlternativeName).value,
+            critical=csr.extensions.get_extension_for_class(x509.SubjectAlternativeName).critical,
+        )
+        .sign(ca_key, hashes.SHA256())
+    )
+
+    key = key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.TraditionalOpenSSL,
+        encryption_algorithm=serialization.NoEncryption(),
+    )
+
+    cert = cert.public_bytes(
+        encoding=serialization.Encoding.PEM,
+    )
+
+    return key, cert
diff --git a/docs/licenses/asn1.txt b/docs/licenses/asn1.txt
new file mode 100644
index 0000000000..d218d2316d
--- /dev/null
+++ b/docs/licenses/asn1.txt
@@ -0,0 +1,7 @@
+Copyright (c) 2007-2021 the Python-ASN1 authors.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/docs/licenses/enum-compat.txt b/docs/licenses/enum-compat.txt
new file mode 100644
index 0000000000..4a6d02cfc6
--- /dev/null
+++ b/docs/licenses/enum-compat.txt
@@ -0,0 +1,7 @@
+Copyright (c) 2014, Jakub Stasiak <jakub@stasiak.at>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/requirements/requirements.in b/requirements/requirements.in
index 3951faf06c..00779e760c 100644
--- a/requirements/requirements.in
+++ b/requirements/requirements.in
@@ -1,6 +1,7 @@
 aiohttp>=3.7.4
 ansiconv==1.0.0  # UPGRADE BLOCKER: from 2013, consider replacing instead of upgrading
 asciichartpy
+asn1
 autobahn>=20.12.3  # CVE-2020-35678
 azure-keyvault==1.1.0  # see UPGRADE BLOCKERs
 channels
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index 143506c21e..c407a3f5ee 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -15,6 +15,8 @@ asgiref==3.5.0
     #   channels-redis
     #   daphne
     #   django
+asn1==2.6.0
+    # via -r /awx_devel/requirements/requirements.in
 async-timeout==3.0.1
     # via
     #   aiohttp
@@ -132,6 +134,8 @@ docutils==0.16
     # via python-daemon
 ecdsa==0.18.0
     # via python-jose
+enum-compat==0.0.3
+    # via asn1
 filelock==3.8.0
     # via -r /awx_devel/requirements/requirements.in
     # via