STOMP bots: add support for authentication by username + password

zuo · zuo · commit 700182cd98f2 · 2023-09-27T11:52:07.000+02:00
Each of the *STOMP collector* and *STOMP output* bots obtained the
following new configuration parameters:

* `auth_by_ssl_client_certificate` (a Boolean flag; it is `True` by
  default -- to keep backward compatibility);

* `username` and `password` -- to be used as STOMP authentication
  credentials (login and passcode), but *only* if the aforementioned
  parameter `auth_by_ssl_client_certificate` is `False`.

If `auth_by_ssl_client_certificate` is `False`, then the (supported also
previously...) `ssl_client_certificate` and `ssl_client_certificate_key`
parameters are ignored (i.e., not only left unused, but also there are
*no checks* whether the files they refer to actually exist).
diff --git a/intelmq/bots/collectors/stomp/collector.py b/intelmq/bots/collectors/stomp/collector.py
@@ -77,6 +77,9 @@ class StompCollectorBot(CollectorBot, StompMixin):
     exchange: str = ''
     port: int = 61614
     server: str = "n6stream.cert.pl"
+    auth_by_ssl_client_certificate: bool = True
+    username: str = 'guest'  # ignored if `auth_by_ssl_client_certificate` is true
+    password: str = 'guest'  # ignored if `auth_by_ssl_client_certificate` is true
     ssl_ca_certificate: str = 'ca.pem'  # TODO pathlib.Path
     ssl_client_certificate: str = 'client.pem'  # TODO pathlib.Path
     ssl_client_certificate_key: str = 'client.key'  # TODO pathlib.Path
diff --git a/intelmq/bots/outputs/stomp/output.py b/intelmq/bots/outputs/stomp/output.py
@@ -26,6 +26,9 @@ class StompOutputBot(OutputBot, StompMixin):
     port: int = 61614
     server: str = "127.0.0.1"  # TODO: could be ip address
     single_key: bool = False
+    auth_by_ssl_client_certificate: bool = True
+    username: str = 'guest'  # ignored if `auth_by_ssl_client_certificate` is true
+    password: str = 'guest'  # ignored if `auth_by_ssl_client_certificate` is true
     ssl_ca_certificate: str = 'ca.pem'  # TODO: could be pathlib.Path
     ssl_client_certificate: str = 'client.pem'  # TODO: pathlib.Path
     ssl_client_certificate_key: str = 'client.key'  # TODO: patlib.Path
diff --git a/intelmq/lib/mixins/stomp.py b/intelmq/lib/mixins/stomp.py
@@ -31,6 +31,11 @@ class StompMixin:
     port: int
     heartbeat: int
 
+    auth_by_ssl_client_certificate: bool
+
+    username: str  # to be ignored if `auth_by_ssl_client_certificate` is true
+    password: str  # to be ignored if `auth_by_ssl_client_certificate` is true
+
     ssl_ca_certificate: str  # TODO: could be pathlib.Path
     ssl_client_certificate: str  # TODO: could be pathlib.Path
     ssl_client_certificate_key: str  # TODO: could be patlib.Path
@@ -102,13 +107,29 @@ def __verify_dependency(cls) -> None:
     def __verify_parameters(cls,
                             get_param: Callable[[str], Any],
                             on_error: Callable[[str], None]) -> None:
-        for param_name in [
-            'ssl_ca_certificate',
-            'ssl_client_certificate',
-            'ssl_client_certificate_key',
-        ]:
+        file_param_names = ['ssl_ca_certificate']
+        if cls.__should_cert_auth_params_be_verified(get_param, on_error):
+            file_param_names.extend([
+                'ssl_client_certificate',
+                'ssl_client_certificate_key',
+            ])
+        for param_name in file_param_names:
             cls.__verify_file_param(param_name, get_param, on_error)
 
+    @classmethod
+    def __should_cert_auth_params_be_verified(cls,
+                                              get_param: Callable[[str], Any],
+                                              on_error: Callable[[str], None]) -> bool:
+        flag = get_param('auth_by_ssl_client_certificate')
+        if not isinstance(flag, bool):
+            # Let us better be strict here -- explicitly rejecting any
+            # non-`bool` values as potentially misleading (e.g., consider
+            # a string like "false", which would be interpreted as True).
+            on_error(f"Parameter 'auth_by_ssl_client_certificate' "
+                     f"is not set to a bool value (got: {flag!r}).")
+            flag = False
+        return flag
+
     @classmethod
     def __verify_file_param(cls,
                             param_name: str,
@@ -136,10 +157,16 @@ def __get_ssl_and_connect_kwargs(self) -> Tuple[dict, dict]:
         # Note: the `ca_certs` argument to `set_ssl()` must always be
         # provided, otherwise the `stomp.py`'s machinery would *not*
         # perform any certificate verification!
-        ssl_kwargs = dict(
-            ca_certs=self.ssl_ca_certificate,
-            cert_file=self.ssl_client_certificate,
-            key_file=self.ssl_client_certificate_key,
-        )
+        ssl_kwargs = dict(ca_certs=self.ssl_ca_certificate)
         connect_kwargs = dict(wait=True)
+        if self.auth_by_ssl_client_certificate:
+            ssl_kwargs.update(
+                cert_file=self.ssl_client_certificate,
+                key_file=self.ssl_client_certificate_key,
+            )
+        else:
+            connect_kwargs.update(
+                username=self.username,
+                passcode=self.password,
+            )
         return ssl_kwargs, connect_kwargs
