This file is indexed.

/etc/fedmsg.d/ssl.py is in python-fedmsg 0.9.3-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# This file is part of fedmsg.
# Copyright (C) 2012 - 2014 Red Hat, Inc.
#
# fedmsg is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# fedmsg is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with fedmsg; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
# Authors:  Ralph Bean <rbean@redhat.com>
#
import os
import socket

SEP = os.path.sep
here = os.getcwd()

config = dict(
    sign_messages=False,
    validate_signatures=True,

    # Use these implementations to sign and validate messages
    crypto_backend='x509',
    crypto_validate_backends=['x509'],

    ssldir="/etc/pki/fedmsg",
    crl_location="https://fedoraproject.org/fedmsg/crl.pem",
    crl_cache="/var/run/fedmsg/crl.pem",
    crl_cache_expiry=10,

    ca_cert_location="https://fedoraproject.org/fedmsg/ca.crt",
    ca_cert_cache="/var/run/fedmsg/ca.crt",
    ca_cert_cache_expiry=0,  # Never expires

    certnames={
        # In prod/stg, map hostname to the name of the cert in ssldir.
        # Unfortunately, we can't use socket.getfqdn()
        #"app01.stg": "app01.stg.phx2.fedoraproject.org",
    },

    # A mapping of fully qualified topics to a list of cert names for which
    # a valid signature is to be considered authorized.  Messages on topics not
    # listed here are considered automatically authorized.
    routing_policy={
        # Only allow announcements from production if they're signed by a
        # certain certificate.
        "org.fedoraproject.prod.announce.announcement": [
            "announce-lockbox.phx2.fedoraproject.org",
        ],
    },

    # Set this to True if you want messages to be dropped that aren't
    # explicitly whitelisted in the routing_policy.
    # When this is False, only messages that have a topic in the routing_policy
    # but whose cert names aren't in the associated list are dropped; messages
    # whose topics do not appear in the routing_policy are not dropped.
    routing_nitpicky=False,
)