STOMP-and-n6-related updates, fixes and enhancements, especially adding login-based authentication

[zuo]

This is a bunch of updates, fixes and enhancements related to integration with STOMP-based services, especially with the n6's one.

The most important change is related to the upcoming switch of authentication to the n6 Stream API: from client certificate-based to login-and-passcode-based. Other changes focus on compatibility with newer versions of the stomp.py library as well as on minor fixes/cleanups/improvements (mostly consistency-related).

---

The key changes concern the STOMP collector bot and the STOMP output bot:

• Each of those two bots obtained three new config parameters -- necessary to accommodate to the incoming changes regarding the n6 Stream API's authentication mechanism, i.e., switching from the legacy client-certificate-based one to a new STOMP-login-and-passcode-based one. The new config parameters are:
  • auth_by_ssl_client_certificate: if true (the default), the legacy certificate-based authentication will be attempted (so ssl_client_certificate and ssl_client_certificate_key need to be specified); if false, the new login-based authentication will be attempted (so the config parameters described below need to be specified);
  • stomp_login username: a STOMP login (in the case of n6 it is just the user's login, the same which you use to log in to n6 Portal);
  • stomp_passcode password: a STOMP passcode (in the case of n6 it is the user's API key which can be obtained via n6 Portal).
• From now on, newer versions of the stomp.py library are supported, including the latest (8.1.0).

See also: the commit messages.

[sebix]

Suggested change

	auth_by_ssl_client_certificate`: Boolean, default: true (note: set to false for new *n6* auth)
	* `auth_by_ssl_client_certificate`: Boolean, default: true (note: set to false for new *n6* auth)

[zuo]

Fixed.

[zuo]

Note: now I added also CHANGELOG.md.

[zuo]

Now: a few corrections in CHANGELOG.md.

[zuo]

Now (among others): more corrections/additions in CHANGELOG.md.

[sebix]

what about calling them username and password?

[zuo]

I used these names because login and passcode are STOMP-(protocol)-specific terms/keywords.

But if you think username and password will be better here, I will change them; it's not a problem. :-)

[zuo]

So, what is your final decision, @sebix?

[sebix]

@kamil-certat @gethvi what do you think?

username/password would be consistent with the parameters of other bots and independent of the underlying protocol.
login/passcode is in line with the specific protocol

I tend towards consistency and username/password.

[zuo]

OK, done. :-)

[kamil-certat]

I would use usernam/password or login/passcode (stomp prefix doesn't look like necessary when we are speaking about Stomp bot :))

[zuo]

@sebix Hm, the only failing test does not seem to be related to this PR:

=========================== short test summary info ============================
FAILED intelmq/tests/bots/experts/reverse_dns/test_expert.py::TestReverseDnsExpertBot::test_invalid_ptr2 - AssertionError: {'__type': 'Event', 'source.ip': '5.157.80.[47 chars].nl'} != {'source.ip': '5.157.80.221', '__type': 'Event'}
+ {'__type': 'Event', 'source.ip': '5.157.80.221'}
- {'__type': 'Event',
-  'source.ip': '5.157.80.221',
-  'source.reverse_dns': 'aliancys.peopleinc.nl'}
====== 1 failed, 1374 passed, 236 skipped, 3 xfailed in 175.49s (0:02:55) ======

Maybe re-run could help?...

[sebix]

Maybe re-run could help?...

Yes, it did

[kamil-certat]

Looks very well, just a small suggestion. Do you have any date when the transition from certs to credentials occurs?

[kamil-certat]

As the ssl_cs_certtificate is still important, maybe let's add the check if the file exists in the check method as well? It is used during verification if IntelMQ is properly configured, see e.g.:

intelmq/intelmq/bots/outputs/file/output.py

Lines 92 to 104 in 85c215d

	@staticmethod
	def check(parameters):
	if 'file' not in parameters:
	return [["error", "Parameter 'file' not given."]]
	dirname = os.path.dirname(parameters['file'])
	if not os.path.exists(dirname) and '{ev' not in dirname:
	path = Path(dirname)
	try:
	path.mkdir(mode=0o755, parents=True, exist_ok=True)
	except OSError:
	return [["error", "Directory (%r) of parameter 'file' does not exist and could not be created." % dirname]]
	else:
	return [["info", "Directory (%r) of parameter 'file' did not exist, but has now been created." % dirname]]

[zuo]

OK, I will add such checks, together with some refactoring (to reduce code duplication...).

[kamil-certat]

Great, thanks!

[zuo]

Now I just added (among others) those checks.

[kamil-certat]

I would use usernam/password or login/passcode (stomp prefix doesn't look like necessary when we are speaking about Stomp bot :))

[zuo]

Do you have any date when the transition from certs to credentials occurs?

Soon -- in a few days -- CERT.pl will contact all interested parties (i.e., organizations that connect to the n6 Stream API), in particular (obviously) CERT.at, conveying necessary information on the upcoming auth mechanism change.

As far as I know, it is planned to turn off the old mechanism (client-certificate-based auth) around mid-November.

[kamil-certat]

Thanks for the info!

[zuo]

The latest version is a refactored one + with additional changes. In particular, now both bots implement the check() hook, other checks have been added/improved, some auto-reconnect-related fixes have been made... For more details, see the commit messages and changelog entries.

[zuo]

A few tweaks more... Now, it should be ready. :-) (I hope...)

[zuo]

@kamil-certat @sebix Sorry for the fuss with the recent forced pushes... Now the stuff is ready.

[zuo]

Now just rebased on the latest develop, no real changes made.