feat: JumpServer支持部署在使用了ssl的redis上

2022-03-11 12:56:22 +08:00 · 2022-03-11 12:56:22 +08:00 · f04378eaf8
parent b644c47173
commit f04378eaf8
7 changed files with 110 additions and 31 deletions
--- a/apps/common/cache.py
+++ b/apps/common/cache.py
@ -1,11 +1,9 @@
 import time

-from redis import Redis
-
 from common.utils.lock import DistributedLock
+from common.utils.connection import get_redis_client
 from common.utils import lazyproperty
 from common.utils import get_logger
-from jumpserver.const import CONFIG

 logger = get_logger(__file__)

@ -58,7 +56,7 @@ class Cache(metaclass=CacheType):

    def __init__(self):
        self._data = None
-        self.redis = Redis(host=CONFIG.REDIS_HOST, port=CONFIG.REDIS_PORT, password=CONFIG.REDIS_PASSWORD)
+        self.redis = get_redis_client()

    def __getitem__(self, item):
        return self.field_desc_mapper[item]
--- a/apps/common/utils/connection.py
+++ b/apps/common/utils/connection.py
@ -1,23 +1,29 @@
 import json
 import threading

-import redis
+from redis import Redis
 from django.conf import settings

+from jumpserver.const import CONFIG
+from common.http import is_true
 from common.db.utils import safe_db_connection
 from common.utils import get_logger

 logger = get_logger(__name__)


-def get_redis_client(db):
-    rc = redis.StrictRedis(
-        host=settings.REDIS_HOST,
-        port=settings.REDIS_PORT,
-        password=settings.REDIS_PASSWORD,
-        db=db
-    )
-    return rc
+def get_redis_client(db=0):
+    params = {
+        'host': CONFIG.REDIS_HOST,
+        'port': CONFIG.REDIS_PORT,
+        'password': CONFIG.REDIS_PASSWORD,
+        'db': db,
+        "ssl": is_true(CONFIG.REDIS_USE_SSL),
+        'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
+        'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
+        'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),
+    }
+    return Redis(**params)


 class Subscription:
@ -99,5 +105,3 @@ class RedisPubSub:
        data_json = json.dumps(data)
        self.redis.publish(self.ch, data_json)
        return True
-
-
--- a/apps/common/utils/lock.py
+++ b/apps/common/utils/lock.py
@ -10,6 +10,7 @@ from django.db import transaction

 from common.utils import get_logger
 from common.utils.inspect import copy_function_args
+from common.utils.connection import get_redis_client
 from jumpserver.const import CONFIG
 from common.local import thread_local

@ -44,7 +45,7 @@ class DistributedLock(RedisLock):
            是否可重入
        """
        self.kwargs_copy = copy_function_args(self.__init__, locals())
-        redis = Redis(host=CONFIG.REDIS_HOST, port=CONFIG.REDIS_PORT, password=CONFIG.REDIS_PASSWORD)
+        redis = get_redis_client()

        if expire is None:
            expire = auto_renewal_seconds
--- a/apps/jumpserver/rewriting/session.py
+++ b/apps/jumpserver/rewriting/session.py
@ -1,8 +1,39 @@
-from redis_sessions.session import force_unicode, SessionStore as RedisSessionStore
-from redis import exceptions
+from redis_sessions.session import (
+    force_unicode, SessionStore as RedisSessionStore,
+    RedisServer as RedisRedisServer, settings as redis_setting
+)
+from redis import exceptions, Redis
+from django.conf import settings
+
+from jumpserver.const import CONFIG
+
+
+class RedisServer(RedisRedisServer):
+    __redis = {}
+
+    def get(self):
+        if self.connection_key in self.__redis:
+            return self.__redis[self.connection_key]
+
+        ssl_params = {}
+        if CONFIG.REDIS_USE_SSL:
+            ssl_params = {
+                'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
+                'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
+                'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),
+            }
+        # 只根据 redis_url 方式连接
+        self.__redis[self.connection_key] = Redis.from_url(
+            redis_setting.SESSION_REDIS_URL, **ssl_params
+        )
+
+        return self.__redis[self.connection_key]


 class SessionStore(RedisSessionStore):
+    def __init__(self, session_key=None):
+        super(SessionStore, self).__init__(session_key)
+        self.server = RedisServer(session_key).get()

    def load(self):
        try:
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@ -135,10 +135,13 @@ SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE = CONFIG.SESSION_EXPIRE_AT_BROWSER_CLOSE_F
 SESSION_SAVE_EVERY_REQUEST = CONFIG.SESSION_SAVE_EVERY_REQUEST
 SESSION_ENGINE = 'jumpserver.rewriting.session'
 SESSION_REDIS = {
-    'host': CONFIG.REDIS_HOST,
-    'port': CONFIG.REDIS_PORT,
-    'password': CONFIG.REDIS_PASSWORD,
-    'db': CONFIG.REDIS_DB_SESSION,
+    'url': '%(protocol)s://:%(password)s@%(host)s:%(port)s/%(db)s' % {
+        'protocol': 'rediss' if CONFIG.REDIS_USE_SSL else 'redis',
+        'password': CONFIG.REDIS_PASSWORD,
+        'host': CONFIG.REDIS_HOST,
+        'port': CONFIG.REDIS_PORT,
+        'db': CONFIG.REDIS_DB_CACHE,
+    },
    'prefix': 'auth_session',
    'socket_timeout': 1,
    'retry_on_timeout': False
@ -246,18 +249,28 @@ FILE_UPLOAD_PERMISSIONS = 0o644
 FILE_UPLOAD_DIRECTORY_PERMISSIONS = 0o755

 # Cache use redis
+REDIS_SSL_KEYFILE = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_client.key')
+REDIS_SSL_CERTFILE = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_client.crt')
+REDIS_SSL_CA_CERTS = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_ca.crt')
+
 CACHES = {
    'default': {
        # 'BACKEND': 'redis_cache.RedisCache',
        'BACKEND': 'redis_lock.django_cache.RedisCache',
-        'LOCATION': 'redis://:%(password)s@%(host)s:%(port)s/%(db)s' % {
+        'LOCATION': '%(protocol)s://:%(password)s@%(host)s:%(port)s/%(db)s' % {
+            'protocol': 'rediss' if CONFIG.REDIS_USE_SSL else 'redis',
            'password': CONFIG.REDIS_PASSWORD,
            'host': CONFIG.REDIS_HOST,
            'port': CONFIG.REDIS_PORT,
            'db': CONFIG.REDIS_DB_CACHE,
        },
        'OPTIONS': {
-            "REDIS_CLIENT_KWARGS": {"health_check_interval": 30}
+            "REDIS_CLIENT_KWARGS": {"health_check_interval": 30},
+            "CONNECTION_POOL_KWARGS": {
+                "ssl_keyfile": REDIS_SSL_KEYFILE,
+                "ssl_certfile": REDIS_SSL_CERTFILE,
+                "ssl_ca_certs": REDIS_SSL_CA_CERTS
+            } if CONFIG.REDIS_USE_SSL else {}
        }
    }
 }
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@ -1,6 +1,9 @@
 # -*- coding: utf-8 -*-
 #
 import os
+import ssl
+
+from .base import REDIS_SSL_CA_CERTS, REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE
 from ..const import CONFIG, PROJECT_DIR

 REST_FRAMEWORK = {
@ -82,16 +85,24 @@ BOOTSTRAP3 = {


 # Django channels support websocket
-CHANNEL_REDIS = "redis://:{}@{}:{}/{}".format(
-    CONFIG.REDIS_PASSWORD, CONFIG.REDIS_HOST, CONFIG.REDIS_PORT,
-    CONFIG.REDIS_DB_WS,
-)
+if not CONFIG.REDIS_USE_SSL:
+    context = None
+else:
+    context = ssl.SSLContext()
+    context.check_hostname = False
+    context.load_verify_locations(REDIS_SSL_CA_CERTS)
+    context.load_cert_chain(REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE)

 CHANNEL_LAYERS = {
    'default': {
        'BACKEND': 'channels_redis.core.RedisChannelLayer',
        'CONFIG': {
-            "hosts": [CHANNEL_REDIS],
+            "hosts": [{
+                'address': (CONFIG.REDIS_HOST, CONFIG.REDIS_PORT),
+                'db': CONFIG.REDIS_DB_WS,
+                'password': CONFIG.REDIS_PASSWORD,
+                'ssl':  context
+            }],
        },
    },
 }
@ -102,7 +113,8 @@ ASGI_APPLICATION = 'jumpserver.routing.application'
 CELERY_LOG_DIR = os.path.join(PROJECT_DIR, 'data', 'celery')

 # Celery using redis as broker
-CELERY_BROKER_URL = 'redis://:%(password)s@%(host)s:%(port)s/%(db)s' % {
+CELERY_BROKER_URL = '%(protocol)s://:%(password)s@%(host)s:%(port)s/%(db)s' % {
+    'protocol': 'rediss' if CONFIG.REDIS_USE_SSL else 'redis',
    'password': CONFIG.REDIS_PASSWORD,
    'host': CONFIG.REDIS_HOST,
    'port': CONFIG.REDIS_PORT,
@ -125,6 +137,13 @@ CELERY_WORKER_REDIRECT_STDOUTS_LEVEL = "INFO"
 # CELERY_WORKER_HIJACK_ROOT_LOGGER = True
 # CELERY_WORKER_MAX_TASKS_PER_CHILD = 40
 CELERY_TASK_SOFT_TIME_LIMIT = 3600
+if CONFIG.REDIS_USE_SSL:
+    CELERY_BROKER_USE_SSL = CELERY_REDIS_BACKEND_USE_SSL = {
+        'ssl_cert_reqs': 'required',
+        'ssl_ca_certs': REDIS_SSL_CA_CERTS,
+        'ssl_certfile': REDIS_SSL_CERTFILE,
+        'ssl_keyfile': REDIS_SSL_KEYFILE
+    }

 ANSIBLE_LOG_DIR = os.path.join(PROJECT_DIR, 'data', 'ansible')

--- a/utils/start_celery_beat.py
+++ b/utils/start_celery_beat.py
@ -18,7 +18,20 @@ os.environ.setdefault('PYTHONOPTIMIZE', '1')
 if os.getuid() == 0:
    os.environ.setdefault('C_FORCE_ROOT', '1')

-redis = Redis(host=CONFIG.REDIS_HOST, port=CONFIG.REDIS_PORT, password=CONFIG.REDIS_PASSWORD)
+REDIS_SSL_KEYFILE = os.path.join(BASE_DIR, 'data', 'certs', 'redis_client.key')
+REDIS_SSL_CERTFILE = os.path.join(BASE_DIR, 'data', 'certs', 'redis_client.crt')
+REDIS_SSL_CA_CERTS = os.path.join(BASE_DIR, 'data', 'certs', 'redis_ca.crt')
+
+params = {
+    'host': CONFIG.REDIS_HOST,
+    'port': CONFIG.REDIS_PORT,
+    'password': CONFIG.REDIS_PASSWORD,
+    "ssl": CONFIG.REDIS_USE_SSL,
+    "ssl_keyfile": REDIS_SSL_KEYFILE,
+    "ssl_certfile": REDIS_SSL_CERTFILE,
+    "ssl_ca_certs": REDIS_SSL_CA_CERTS
+}
+redis = Redis(**params)
 scheduler = "django_celery_beat.schedulers:DatabaseScheduler"

 cmd = [