From 922fa03ecf7d30ed1348604509a0c9e4b37494da Mon Sep 17 00:00:00 2001
From: anastasia prasolova <anastasia@morphbits.io>
Date: Wed, 5 Jul 2023 20:03:47 +0300
Subject: [PATCH] #59 #60 Add TLS support for RPC node of internal consensus

---
 defaults/main.yml | 60 +++++++++++++++++++++++++++++++++++++++++++++--
 tasks/main.yml    |  2 ++
 tasks/tls.yml     | 19 +++++++++++++++
 3 files changed, 79 insertions(+), 2 deletions(-)
 create mode 100644 tasks/tls.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index c91d910..9db2421 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -60,8 +60,35 @@ neofs_ir__blockchain_notary_disabled: False
 neofs_ir__blockchain_time_per_block: '15s'
 neofs_ir__blockchain_magic: '735783775'
 neofs_ir__blockchain_seed_nodes: []
-neofs_ir__blockchain_rpc_addresses: []
-neofs_ir__blockchain_p2p_addresses: []
+
+neofs_ir__blockchain_rpc_address: 'localhost'
+neofs_ir__blockchain_rpc_port: 30333
+neofs_ir__blockchain_rpc_allow: []
+neofs_ir__blockchain_rpc_group_allow: []
+neofs_ir__blockchain_rpc_host_allow: []
+neofs_ir__blockchain_rpc_addresses:
+  - '{{ neofs_ir__blockchain_rpc_address }}:{{ neofs_ir__blockchain_rpc_port }}'
+
+neofs_ir__blockchain_tls_rpc_enabled: False
+neofs_ir__blockchain_tls_rpc_address: 'localhost'
+neofs_ir__blockchain_tls_rpc_port: 30335
+neofs_ir__blockchain_tls_rpc_allow: []
+neofs_ir__blockchain_tls_rpc_group_allow: []
+neofs_ir__blockchain_tls_rpc_host_allow: []
+neofs_ir__blockchain_tls_rpc_addresses:
+  - '{{ neofs_ir__blockchain_tls_rpc_address }}:{{ neofs_ir__blockchain_tls_rpc_port }}'
+neofs_ir__blockchain_tls_rpc_cert: '{{ neofs_ir__conf_dir }}/server.crt'
+neofs_ir__blockchain_tls_rpc_key: '{{ neofs_ir__conf_dir }}/server.key'
+neofs_ir__blockchain_tls_rpc_local_cert: '/local/path/to/cert'
+neofs_ir__blockchain_tls_rpc_local_key: '/local/path/to/key'
+
+neofs_ir__blockchain_p2p_address: 'localhost'
+neofs_ir__blockchain_p2p_port: 20333
+neofs_ir__blockchain_p2p_allow: []
+neofs_ir__blockchain_p2p_group_allow: []
+neofs_ir__blockchain_p2p_host_allow: []
+neofs_ir__blockchain_p2p_addresses:
+  - '{{ neofs_ir__blockchain_p2p_address }}:{{ neofs_ir__blockchain_p2p_port }}'
 
 neofs_ir__validators:
       - '026fa34ec057d74c2fdf1a18e336d0bd597ea401a0b2ad57340d5c220d09f44086'
@@ -90,6 +117,11 @@ neofs_ir__sidechain_config:
     seed_nodes: '{{ neofs_ir__blockchain_seed_nodes }}'
     rpc:
       listen: '{{ neofs_ir__blockchain_rpc_addresses }}'
+      tls:
+        enabled: '{{ neofs_ir__blockchain_tls_rpc_enabled }}'
+        listen: '{{ neofs_ir__blockchain_tls_rpc_addresses }}'
+        cert_file: '{{ neofs_ir__blockchain_tls_rpc_cert }}'
+        key_file: '{{ neofs_ir__blockchain_tls_rpc_key }}'
     p2p:
       dial_timeout: 3s
       proto_tick_interval: 2s
@@ -230,3 +262,27 @@ neofs_ir__ferm__dependent_rules:
     saddr: '{{ neofs_ir__control_allow + neofs_ir__control_group_allow + neofs_ir__control_host_allow }}'
     protocol: 'tcp'
     rule_state: "{{ 'present' if neofs_ir__control_enabled else 'absent' }}"
+
+  - type: 'accept'
+    name: 'neofs-ir{{ neofs_ir__instance }}_blockchain_rpc'
+    dport: [ '{{ neofs_ir__blockchain_rpc_port }}' ]
+    daddr: [ '{{ neofs_ir__blockchain_rpc_address }}' ]
+    saddr: '{{ neofs_ir__blockchain_rpc_allow + neofs_ir__blockchain_rpc_group_allow + neofs_ir__blockchain_rpc_host_allow }}'
+    protocol: 'tcp'
+    rule_state: "{{ 'present' if not neofs_ir__external_sidechain else 'absent' }}"
+
+  - type: 'accept'
+    name: 'neofs-ir{{ neofs_ir__instance }}_blockchain_tls_rpc'
+    dport: [ '{{ neofs_ir__blockchain_tls_rpc_port }}' ]
+    daddr: [ '{{ neofs_ir__blockchain_tls_rpc_address }}' ]
+    saddr: '{{ neofs_ir__blockchain_tls_rpc_allow + neofs_ir__blockchain_tls_rpc_group_allow + neofs_ir__blockchain_tls_rpc_host_allow }}'
+    protocol: 'tcp'
+    rule_state: "{{ 'present' if neofs_ir__blockchain_tls_rpc_enabled else 'absent' }}"
+
+  - type: 'accept'
+    name: 'neofs-ir{{ neofs_ir__instance }}_blockchain_p2p'
+    dport: [ '{{ neofs_ir__blockchain_p2p_port }}' ]
+    daddr: [ '{{ neofs_ir__blockchain_p2p_address }}' ]
+    saddr: '{{ neofs_ir__blockchain_p2p_allow + neofs_ir__blockchain_p2p_group_allow + neofs_ir__blockchain_p2p_host_allow }}'
+    protocol: 'tcp'
+    rule_state: "{{ 'present' if not neofs_ir__external_sidechain else 'absent' }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index f16881a..745e50a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -28,6 +28,8 @@
 
 - ansible.builtin.include_tasks: wallet.yml
 
+- ansible.builtin.include_tasks: tls.yml
+
 - name: Copy NeoFS IR config
   ansible.builtin.template:
     src: 'config.yml.j2'
diff --git a/tasks/tls.yml b/tasks/tls.yml
new file mode 100644
index 0000000..a65d8da
--- /dev/null
+++ b/tasks/tls.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Copy TLS certificate for Internal Consensus RPC node
+  ansible.builtin.copy:
+    src: '{{ neofs_ir__blockchain_tls_rpc_local_cert }}'
+    dest: '{{ neofs_ir__blockchain_tls_rpc_cert }}'
+    owner: 'root'
+    group: '{{ neofs_ir__group }}'
+    mode: '0640'
+  notify: [ 'Restart NeoFS IR' ]
+
+- name: Copy TLS key for Internal Consensus RPC node
+  ansible.builtin.copy:
+    src: '{{ neofs_ir__blockchain_tls_rpc_local_key }}'
+    dest: '{{ neofs_ir__blockchain_tls_rpc_key }}'
+    owner: 'root'
+    group: '{{ neofs_ir__group }}'
+    mode: '0640'
+  notify: [ 'Restart NeoFS IR' ]