Merge pull request #1872 from coreos-inc/qe-torrent

Add QE setup tool support for BitTorrent downloads

util/config/configutil.py

@@ -1,4 +1,5 @@
 from random import SystemRandom
+from uuid import uuid4
 
 def generate_secret_key():
   cryptogen = SystemRandom()
@@ -52,6 +53,10 @@ def add_enterprise_config_defaults(config_obj, current_secret_key, hostname):
   if not 'SECRET_KEY' in config_obj:
     config_obj['SECRET_KEY'] = current_secret_key
 
+  # Default torrent pepper.
+  if not 'BITTORRENT_FILENAME_PEPPER' in config_obj:
+    config_obj['BITTORRENT_FILENAME_PEPPER'] = str(uuid4())
+
   # Default storage configuration.
   if not 'DISTRIBUTED_STORAGE_CONFIG' in config_obj:
     config_obj['DISTRIBUTED_STORAGE_PREFERENCE'] = ['default']

util/config/validator.py

@@ -12,6 +12,7 @@ import redis
 
 from flask import Flask
 from flask_mail import Mail, Message
+from hashlib import sha1
 
 from app import app, config_provider, get_app_url, OVERRIDE_CONFIG_DIRECTORY
 from auth.auth_context import get_authenticated_user
@@ -25,6 +26,7 @@ from data.users.keystone import get_keystone_users
 from storage import get_storage_driver
 from util.config.oauth import GoogleOAuthConfig, GithubOAuthConfig, GitLabOAuthConfig
 from util.secscan.api import SecurityScannerAPI
+from util.registry.torrent import torrent_jwt
 from util.security.signing import SIGNING_ENGINES
 
 
@@ -484,6 +486,42 @@ def _validate_security_scanner(config, _):
     raise Exception('Could not ping security scanner: %s' % message)
 
 
+def _validate_bittorrent(config, _):
+  """ Validates the configuration for using BitTorrent for downloads. """
+
+  # Ensure that the tracker is reachable and accepts requests signed with a registry key.
+  client = app.config['HTTPCLIENT']
+
+  params = {
+    'info_hash': sha1('somedata').digest(),
+    'peer_id': '-QUAY00-6wfG2wk6wWLc',
+    'uploaded': 0,
+    'downloaded': 0,
+    'left': 0,
+    'numwant': 0,
+    'port': 80,
+  }
+
+  encoded_jwt = torrent_jwt(params)
+  params['jwt'] = encoded_jwt
+
+  resp = client.get(config['BITTORRENT_ANNOUNCE_URL'], timeout=5, params=params)
+  logger.debug('Got tracker response: %s: %s', resp.status_code, resp.text)
+
+  if resp.status_code == 404:
+    raise Exception('Announce path not found; did you forget `/announce`?')
+
+  if resp.status_code == 500:
+    raise Exception('Did not get expected response from Tracker; please check your settings')
+
+  if resp.status_code == 200:
+    if 'invalid jwt' in resp.text:
+      raise Exception('Could not authorize to Tracker; is your Tracker properly configured?')
+
+    if 'failure reason' in resp.text:
+      raise Exception('Could not validate signed announce request: ' + resp.text)
+
+
 _VALIDATORS = {
   'database': _validate_database,
   'redis': _validate_redis,
@@ -500,4 +538,5 @@ _VALIDATORS = {
   'keystone': _validate_keystone,
   'signer': _validate_signer,
   'security-scanner': _validate_security_scanner,
+  'bittorrent': _validate_bittorrent,
 }

util/registry/torrent.py

@@ -21,7 +21,10 @@ def _load_private_key(private_key_file_path):
   with open(private_key_file_path) as private_key_file:
     return private_key_file.read()
 
-def _torrent_jwt(info_dict):
+def torrent_jwt(info_dict):
+  """ Returns an encoded JWT for the given information dictionary, signed by the local instance's
+      private key.
+  """
   token_data = {
     'iss': instance_keys.service_name,
     'aud': ANNOUNCE_URL,
@@ -45,7 +48,7 @@ def make_torrent(name, webseed, length, piece_length, pieces):
   }
 
   return bencode.bencode({
-    'announce': ANNOUNCE_URL + "?jwt=" + _torrent_jwt(info_dict),
+    'announce': ANNOUNCE_URL + "?jwt=" + torrent_jwt(info_dict),
     'url-list': webseed,
     'encoding': 'UTF-8',
     'created by': REGISTRY_TITLE,