From ca5b27d093d09bd26aaebb18b7fd7d63d90de22c Mon Sep 17 00:00:00 2001
From: David Mandelberg <david@mandelberg.org>
Date: Sun, 26 May 2024 20:07:02 -0400
Subject: [PATCH] Add macro to configure TLS for syslog-ng

---
 Saltfile                          |  1 +
 salt/file/log/syslog_ng/map.jinja | 79 +++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)
 create mode 100644 salt/file/log/syslog_ng/map.jinja

diff --git a/Saltfile b/Saltfile
index 8b3131a..022001e 100644
--- a/Saltfile
+++ b/Saltfile
@@ -49,6 +49,7 @@ salt-ssh:
   - salt://gdm/map.jinja
   - salt://grub/map.jinja
   - salt://irc/bouncer/map.jinja
+  - salt://log/syslog_ng/map.jinja
   - salt://mail/dkimpy_milter/map.jinja
   - salt://mail/dovecot/map.jinja
   - salt://mail/inbound/map.jinja
diff --git a/salt/file/log/syslog_ng/map.jinja b/salt/file/log/syslog_ng/map.jinja
new file mode 100644
index 0000000..747251a
--- /dev/null
+++ b/salt/file/log/syslog_ng/map.jinja
@@ -0,0 +1,79 @@
+{#
+ # Copyright 2024 Google LLC
+ #
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ #     https://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+ #}
+
+
+{% from 'common/map.jinja' import common %}
+{% from 'crypto/map.jinja' import crypto %}
+
+
+{#
+ # Returns config for a tls network source or destination.
+ #
+ # Args:
+ #  is_client: True for use in client config file, false for server config.
+ #  local_cert_dir_name: dir_name from boilerplate_certificate() for the local
+ #    certificate.
+ #  peers: See pillar.log.server.clients for the structure.
+ #}
+{% macro tls_config(
+    is_client,
+    local_cert_dir_name,
+    peers) %}
+port(6514)
+transport(tls)
+tls(
+  {%- if is_client %}
+  sni(yes)
+  {%- endif %}
+  ssl-options(
+    {%- for protocol in crypto.openssl.strict_protocols_disabled %}
+    no-{{ protocol | lower | replace('.', '') }}
+    {%- endfor %}
+  )
+  cipher-suite("{{
+      crypto.openssl.ciphers_to_string(
+          crypto.openssl.strict_ciphers
+      )
+  }}")
+  cert-file({{ common.local_etc }}/x509/{{ local_cert_dir_name }}/cert.pem)
+  key-file({{ common.local_etc }}/x509/{{ local_cert_dir_name }}/privkey.pem)
+  peer-verify(required-trusted)
+  {%- if is_client %}
+  ca-file(/etc/syslog-ng/conf.d/client-ca-certs.pem)
+  {%- else %}
+  {#-
+   # TODO(syslog-ng >= 4.2.0): Make sure this isn't sent to all (even
+   # unauthenticated) clients. openssl-conf-cmds() looks promising, possibly by
+   # setting RequestCAFile to /dev/null or by disabling CANames in Options.
+   #}
+  ca-file(/etc/syslog-ng/conf.d/server-ca-certs.pem)
+  {%- endif %}
+  # TODO(https://github.com/syslog-ng/syslog-ng/issues/4976): Don't use SHA-1.
+  trusted-keys(
+    {%- for peer_name, peer in peers | dictsort %}
+    {%- set peer_cert = salt['x509.read_certificate'](peer.certificate) %}
+    {#-
+     # TODO(https://github.com/syslog-ng/syslog-ng/issues/4978): Switch away
+     # from using .tls.x509_cn, then remove this validation.
+     #}
+    {%- if peer_cert.subject_str != 'CN=' + peer_name %}
+      {{ raise('Wrong subject for certificate of ' + peer_name) }}
+    {%- endif %}
+    "SHA1:{{ peer_cert.fingerprints.sha1 }}"  # {{ peer_name }}
+    {%- endfor %}
+  )
+)
+{% endmacro %}