def test_run(self):
# Note: this is a top-level integration tests and writes to the filesystem
flexmock(sslify).should_receive('get_nginx_config_from_freewheelers')
open('project.conf',
'w').write(open("test_data_twu54team1qa.config",
'r').read()) # create a fake local file
flexmock(sslify).should_receive('scp_output_to_server')
flexmock(sslify).should_receive(
'move_remote_tmp_nginx_config_to_real_location')
flexmock(sslify).should_receive('restart_nginx')
flexmock(sslify).should_receive('request_cert')
flexmock(sslify).should_receive('scp_output_to_server')
flexmock(sslify).should_receive(
'move_remote_tmp_nginx_config_to_real_location')
flexmock(sslify).should_receive('restart_nginx')
sslify.run(self.good_args_54_1_qa())
file_with_final_results = "out2.conf"
amended_data = nginxparser.load(open(file_with_final_results))
assert amended_data != nginxparser.load(
open("test_data_twu54team1qa.config", 'r'))
assert nginxparser.load(open(
file_with_final_results)) == self.expected_full_amended_data()
def test_add_https_redirect(self):
existing_config = nginxparser.load(
open("test_data_twu54team1qa_with_known_host.config"))
with_https_redirect = sslify.add_https_redirect(
self.qa_team1_term54_config(), existing_config)
expected = nginxparser.load(
open("test_data_twu54team1qa_with_known_host_and_redirect.config"))
assert with_https_redirect == expected
def ensure_nginxparser_instance(conf_file): # type: (str) -> [[[str]]]
if isinstance(conf_file, list):
return conf_file
elif hasattr(conf_file, "read"):
return load(conf_file)
elif path.isfile(conf_file):
with open(conf_file, "rt") as f:
return load(f)
else:
return loads(conf_file)
def nginx_cleanup():
with open('/etc/nginx/nginx.conf','r') as read_conf:
nginx_conf = nginxparser.load(read_conf)
nginx_conf = nginx_set_worker_limit(nginx_conf)
nginx_conf = nginx_clean_default_vhost(nginx_conf)
with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file:
nginx_conf_file.write(nginxparser.dumps(nginx_conf))
def test_parse_from_file(self):
parsed = load(open("/etc/nginx/sites-enabled/foo.conf"))
self.assertEqual(parsed, [
[['server'], [
['listen', '80'],
['server_name', 'foo.com'],
['root', '/home/ubuntu/sites/foo/']]]])
def remove_ips_from_nginx_upstream_conf(ips):
"""Remove ips from nginx upstream config"""
nginx_conf = load(open(NGINX_CONFIG_PATH))
upstream_line_idx = get_upstream_line_idx(nginx_conf)
for ip in ips:
nginx_conf[upstream_line_idx][1].remove(["server", ip])
dump(nginx_conf, open(NGINX_CONFIG_PATH, "w"))
def nginx_cleanup():
with open('/etc/nginx/nginx.conf', 'r') as read_conf:
nginx_conf = nginxparser.load(read_conf)
nginx_conf = nginx_set_worker_limit(nginx_conf)
nginx_conf = nginx_clean_default_vhost(nginx_conf)
with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file:
nginx_conf_file.write(nginxparser.dumps(nginx_conf))
def add_ips_to_nginx_upstream_conf(ips):
"""Add new ips to nginx upstream config"""
nginx_conf = load(open(NGINX_CONFIG_PATH))
upstream_line_idx = get_upstream_line_idx(nginx_conf)
for ip in ips:
nginx_conf[upstream_line_idx][1].insert(1, ["server", ip])
dump(nginx_conf, open(NGINX_CONFIG_PATH, "w"))
def test_parse_if_condation(self):
parsed = load(open("/etc/nginx/sites-enabled/if_condation.conf"))
print parsed
self.assertEqual(
parsed,
[[['server'],
[[['if', '( $request_method !~ ^(GET|POST|HEAD)$ ) ', ''],
[['return', '403']]]]]])
def get_upstream_ips():
"""
Nginx parser for upstream ips for nginx conf file structure as in
nginx/load_balancer.conf file
"""
nginx_conf = load(open(NGINX_CONFIG_PATH))
upstream_conf = [elem for elem in nginx_conf
if elem[0][0] == 'upstream'][0]
upstream_ips = [elem[1] for elem in upstream_conf[1][1:]]
return upstream_ips
def change_weights(wait_time):
signal.signal(signal.SIGINT, signal_handler)
# getting the file
config = ng.load(open("/etc/nginx/nginx.conf"))
# getting the weights
http = []
http.extend(config[-1][1])
upstreams = {}
for item in http:
if len(item) > 1 and isinstance(item[0], list):
if item[0][0] == "upstream":
tmp = []
for i in item[1]:
if i[0] == "server":
tmp.append(i[1].split())
upstreams[item[0][1]] = tmp
# changing the weights
while (1):
for w in POSSIBLE_WEIGHTS:
w = list(w) # added
print("Running with", w)
time.sleep(wait_time)
for _, v in upstreams.items():
for i in range(len(v)):
# v[i][1] = "weight={}".format(w[i]) # added
v[i][1] = "weight={}".format(w.pop())
# formatting weights
NEW_VALS = []
for _, v in upstreams.items():
for i in range(len(v)):
NEW_VALS.append("{} {}".format(v[i][0], v[i][1]))
# putting weights into the http list
j = 0 # track which val from NEW_VALS to get
for item in http:
if len(item) > 1 and isinstance(item[0], list):
if item[0][0] == "upstream":
tmp = []
for i in item[1]:
if i[0] == "server":
i[1] = NEW_VALS[j]
j += 1
# putting weights into config
config[-1][1] = http
# write out to the file
out = open("/etc/nginx/nginx.conf", 'w')
ng.dump(config, out)
# restart the nginx process
subprocess.call(["nginx", "-s", "reload"])
def get_parsed_remote_conf(conf_name,
suffix="nginx",
use_sudo=True): # type: (str, str, bool) -> [str]
if not conf_name.endswith(".conf") and not exists(conf_name):
conf_name += ".conf"
# cStringIO.StringIO, StringIO.StringIO, TemporaryFile, SpooledTemporaryFile all failed :(
tempfile = mkstemp(suffix)[1]
get(remote_path=conf_name, local_path=tempfile, use_sudo=use_sudo)
with open(tempfile, "rt") as f:
conf = load(f)
remove(tempfile)
return conf
def test_parse_if_condation(self):
parsed = load(open("/etc/nginx/sites-enabled/if_condation.conf"))
print parsed
self.assertEqual(
parsed, [
[['server'], [[
['if', '( $request_method !~ ^(GET|POST|HEAD)$ ) ', ''],
[['return', '403']]
]]
]
]
)
def test_parse_from_file(self):
parsed = load(open("/etc/nginx/sites-enabled/foo.conf"))
self.assertEqual(parsed, [
['user', 'www-data'],
[['server'],
[['listen', '80'], ['server_name', 'foo.com'],
['root', '/home/ubuntu/sites/foo/'],
[['location', '/status'],
[
['check_status'],
[['types'], [['image/jpeg', 'jpg']]],
]]]],
])
def test_parse_from_file(self):
parsed = load(open("/etc/nginx/sites-enabled/foo.conf"))
self.assertEqual(parsed, [
['user', 'www-data'],
[['server'], [
['listen', '80'],
['server_name', 'foo.com'],
['root', '/home/ubuntu/sites/foo/'],
[['location','/status'], [
['check_status'],
[['types'], [['image/jpeg','jpg']]],
]]
]],
])
def test_issue():
#print 'hi'
config = load(open('../stream.conf'))
print config[0]
print config[1]
print config[2]
#str_config = dumps(config[2])
print dumps([[['server'],
[['listen', '80'], ['server_name', 'foo.com'],
['root', '/home/ubuntu/sites/foo/']]]])
"""
def upsert_upload(new_conf, name="default", use_sudo=True):
conf_name = "/etc/nginx/sites-enabled/{nginx_conf}".format(nginx_conf=name)
if not conf_name.endswith(".conf") and not exists(conf_name):
conf_name += ".conf"
# cStringIO.StringIO, StringIO.StringIO, TemporaryFile, SpooledTemporaryFile all failed :(
tempfile = mkstemp(name)[1]
get(remote_path=conf_name, local_path=tempfile, use_sudo=use_sudo)
with open(tempfile, "rt") as f:
conf = load(f)
new_conf = new_conf(conf)
remove(tempfile)
sio = StringIO()
sio.write(dumps(new_conf))
return put(sio, conf_name, use_sudo=use_sudo)
def load_nginx_params_v1():
"""
Uses nginxparser module
nginx_config : Runtime nginx_config
nginx_config_base : config picked from base nginx file
"""
global g_config
#nginx_fp = open(get_nginx_config(), "r")
nginx_config = load(open(get_nginx_config()))
g_config['nginx_config'] = nginx_config
nginx_config_base = load(open(get_tmp_path() + '/stream.conf'))
g_config['nginx_config_base'] = nginx_config_base
set_nginx_upstream_mqtt_server()
## Assumes stream.conf file in order
## upstream block
## TCP stream block
## TLS stream block
g_config['ssl_certificate'] = '/'.join(
[os.getcwd(), get_tmp_path() + 'server.crt'])
g_config['ssl_certificate_key'] = '/'.join(
[os.getcwd(), get_tmp_path() + 'server.key'])
g_config['ssl_client_certificate'] = '/'.join(
[os.getcwd(), get_tmp_path() + 'client.crt'])
g_config['upstream_mqtt_server'] = get_nginx_upstream_mqtt_server()
g_config['nginx_config_base'][2][1][2][1] = g_config['ssl_certificate']
g_config['nginx_config_base'][2][1][3][1] = g_config['ssl_certificate_key']
g_config['nginx_config_base'][2][1][10][1] = g_config[
'ssl_client_certificate']
return
def link_nginx_confs():
import nginxparser
nginx_conf = nginxparser.load(open(NGINX_CONF_PATH))
needed_section = None
def find_sect(sect, name):
for sub_sect in sect:
if len(sub_sect) > 0 and len(
sub_sect[0]) > 0 and sub_sect[0][0] == name:
return sub_sect
return None
http_sect = find_sect(nginx_conf, 'http')[1]
#if http_sect is not None:
# server_sect = find_sect(http_sect, 'server')
#for section in nginx_conf:
# if len(section) > 0 and len(sect[0] > 0) and sect[0][0] == 'http':
# needed_section = section
#find include
includes = []
for field in http_sect:
if type(field) is list and (len(field) == 2) and type(field[0]) is str:
if field[0] == 'include':
includes.append(field)
already_included = False
for include in includes:
if include[1] == KOSAND_INCLUDE_PATH_FOR_NGINX_CONF:
already_included = True
if not already_included:
http_sect.append(['include', KOSAND_INCLUDE_PATH_FOR_NGINX_CONF])
backup_nginx_conf()
tmp_nginx_path = '/tmp/kosand_nginx.conf'
with open(tmp_nginx_path, 'w') as f:
f.write(nginxparser.dumps(nginx_conf) + '\n')
arg_tuple = (tmp_nginx_path, NGINX_CONF_PATH, tmp_nginx_path)
os.system('sudo cp %s %s; rm %s' % arg_tuple)
else:
print('NEEDED NGINX CONF FIELD ALREADY FOUND!')
def parse_nginx_conf(ngconf_path):
web_paths = []
try:
import nginxparser
except Exception:
pass
else:
if common.is_linux() and os.path.exists(ngconf_path):
for root, dirs, files in os.walk(ngconf_path):
for f in files:
confs = nginxparser.load(open(os.path.join(root, f)))
for conf in confs:
for setting in conf[1]:
if setting[0] == 'root':
web_paths.append(setting[1])
return web_paths
def test_parse_from_file(self):
parsed = load(open("/etc/nginx/sites-enabled/foo.conf"))
self.assertEqual(
parsed,
[['user', 'www-data']],
[['server'], [
['listen', '80'],
['server_name', 'foo.com'],
['root', '/home/ubuntu/sites/foo/'],
[['location', '/status'], [
['check_status'],
[['types'], [['image/jpeg', 'jpg']]],
]],
[['location', '~', 'case_sensitive\.php$']],
[['location', '~*', 'case_insensitive\.php$']],
[['location', '=', 'exact_match\.php$']],
[['location', '^~', 'ignore_regex\.php$']],
]],
)
def update_nginx_confs(self):
available_domains = self.list_available_certs()
filepath = self.settings.basedir + self.settings.domainfile
domains = ''
if os.path.isfile(filepath):
with open(filepath) as f:
domains = f.readlines()
domains = [x.strip() for x in domains]
domains = "\n".join(domains)
mysplit = domains.split("\n")
# Gets all enabled sites
available_nginx_files = self.list_enabled_nginx_confs()
for curr_domain in available_domains:
for curr_nginx_file in available_nginx_files:
logging.debug("## Use Certs: Checking config file - %s ##" % curr_nginx_file)
if self.settings.nginx_config in curr_nginx_file:
logging.debug("Skipping file: %s" % curr_nginx_file)
continue
# Path is to the sites_available directory
filepath = self.settings.nginx_sites_available + curr_nginx_file
if not os.path.isfile(filepath):
logging.debug("File not in sites_available directory.. continuing")
continue
loaded_conf = load(open(filepath))
for servers in loaded_conf:
server_conf = servers[1]
ssl_true = False
listen_position = None
server_name_position = None
ssl_cert_position = None
ssl_cert_key_position = None
curr_pos = 0
for lines in server_conf:
if isinstance(lines[0], str):
if 'server_name' in lines[0] and len(lines) > 1:
if server_name_position is not None:
logging.debug("There must be more than one server_name_position.. skipping this file because we don't know how to handle it.")
print("CONF %s" % loaded_conf)
break
server_name_position = curr_pos
if 'listen' in lines[0] and len(lines) > 1:
if listen_position is not None:
listen_position = [listen_position]
listen_position.append(curr_pos)
print("There are multiple listen positions: %s" % listen_position)
else:
listen_position = curr_pos
if 'ssl_certificate' in lines[0] and 'ssl_certificate_key' not in lines[0] and len(lines) > 1:
if ssl_cert_position is not None:
logging.debug("There must be more than one ssl_certificate.. skipping this file because we don't know how to handle it.")
print("CONF %s" % lines[0])
break
ssl_cert_position = curr_pos
if 'ssl_certificate_key' in lines[0] and len(lines) > 1:
if ssl_cert_key_position is not None:
logging.debug("There must be more than one ssl_certificate_key.. skipping this file because we don't know how to handle it.")
print("CONF %s" % lines[0])
break
ssl_cert_key_position = curr_pos
curr_pos += 1
if listen_position is not None and server_name_position is not None:
logging.debug("We have both listen and server name positions: listen position: %s | server_name_position: %s" % (listen_position, server_name_position))
found_it = False
for domain_list_line in mysplit:
if found_it is True:
break
secondsplit = domain_list_line.split(" ")
for domains in secondsplit:
logging.debug("CHECKING DOMAIN %s with: %s" % (server_conf[server_name_position][1], domains))
if server_conf[server_name_position][1] in domains:
logging.debug("found our domain: %s in the list of domains" % server_conf[server_name_position][1])
found_it = True
break
if found_it is False:
logging.debug("Server Config does not have any of our domains with SSL certs in the 'server_name' position.. skipping this config.")
continue
# Check if SSL is already setup
if ssl_cert_key_position is not None and ssl_cert_position is not None:
# Check if ports are setup too
if isinstance(listen_position, list):
already_setup = False
for listens in listen_position:
if "443" in server_conf[listens][1]:
already_setup = True
break
if already_setup is True:
logging.debug("This server is already setup for SSL")
continue
elif isinstance(listen_position, str):
if "443" in server_conf[listens][1]:
continue
# Lets setup SSL now...
logging.debug("Attempting to setup SSL for domain: %s" % curr_domain)
# Multiple listen calls..
if isinstance(listen_position, list):
already_setup = False
for listens in listen_position:
if "443" in server_conf[listens][1]:
already_setup = True
break
# Check if ssl port is already set
if already_setup is True:
logging.debug("Server port already setup for SSL")
# 443 not set... set one of the listen calls to 443
else:
server_conf[listen_position[0]][1]
# ssl port set already
if "443 ssl" in server_conf[listen_position[0]][1]:
logging.debug("Server port already setup for SSL")
# ssl port not set yet..
else:
if ":" in server_conf[listen_position[0]][1]:
tmp = server_conf[listen_position[0]][1].split(":")
if tmp[1]:
logging.debug("old port value %s" % server_conf[listen_position[0]][1])
r = re.compile(r"\d{2,5}")
tmp[1] = r.sub("443 ssl", tmp[1])
server_conf[listen_position[0]][1] = ':'.join(tmp)
logging.debug("new port value: %s" % server_conf[listen_position[0]][1])
else:
logging.debug("old port value: %s" % server_conf[listen_position[0]][1])
r = re.compile(r"\d{2,5}")
tmp = r.sub("443 ssl", server_conf[listen_position[0]][1])
server_conf[listen_position[0]][1] = tmp
logging.debug("new port value: %s" % server_conf[listen_position[0]][1])
# Single listen call..
else:
# ssl port set already
if "443 ssl" in server_conf[listen_position][1]:
logging.debug("Server port already setup for SSL")
# ssl port not set yet..
else:
if ":" in server_conf[listen_position][1]:
tmp = server_conf[listen_position][1].split(":")
if tmp[1]:
logging.debug("old port value %s" % server_conf[listen_position][1])
r = re.compile(r"\d{2,5}")
tmp[1] = r.sub("443 ssl", tmp[1])
server_conf[listen_position][1] = ':'.join(tmp)
logging.debug("new port value: %s" % server_conf[listen_position][1])
else:
logging.debug("old port value: %s" % server_conf[listen_position][1])
r = re.compile(r"\d{2,5}")
tmp = r.sub("443 ssl", server_conf[listen_position][1])
server_conf[listen_position][1] = tmp
logging.debug("new port value: %s" % server_conf[listen_position][1])
cert_path = self.settings.basedir + '/certs/' + curr_domain + '/fullchain.pem'
cert_key_path = self.settings.basedir + '/certs/' + curr_domain + '/privkey.pem'
if ssl_cert_position is None:
server_conf.insert(0, ["ssl_certificate", cert_path])
else:
server_conf[ssl_cert_position][1] = cert_path
if ssl_cert_key_position is None:
server_conf.insert(1, ["ssl_certificate_key", cert_key_path])
else:
server_conf[ssl_cert_key_position][1] = cert_key_path
file = open(filepath,"w")
file.write(dumps(loaded_conf))
file.close()
logging.debug("## FINISHED WITH SETTING UP NGINX WITH CERTS ##")
self.context.notify('info', 'Nginx is now using your valid certs.')
def load_term54team5envqa_with_known_host(self):
return nginxparser.load(
open("test_data_twu54team1qa_with_known_host.config"))
def load_term54team5envqa(self):
return nginxparser.load(open("test_data_twu54team1qa.config"))
def main():
global wapt_folder,NGINX_GID
parser = OptionParser(usage=usage, version=__version__)
parser.add_option(
'-c',
'--config',
dest='configfile',
default=waptserver.config.DEFAULT_CONFIG_FILE,
help='Config file full path (default: %default)')
parser.add_option(
"-s",
"--force-https",
dest="force_https",
default=False,
action='store_true',
help="Use https only, http is 301 redirected to https (default: False). Requires a proper DNS name")
(options, args) = parser.parse_args()
if postconf.yesno("Do you want to launch post configuration tool ?") != postconf.DIALOG_OK:
print "canceling wapt postconfiguration"
sys.exit(1)
# TODO : check if it a new install or an upgrade (upgrade from mongodb to postgresql)
if type_redhat():
if re.match('^SELinux status:.*enabled', run('sestatus')):
postconf.msgbox('SELinux detected, tweaking httpd permissions.')
run('setsebool -P httpd_can_network_connect 1')
run('setsebool -P httpd_setrlimit on')
for sepath in ('wapt','wapt-host'):
run('semanage fcontext -a -t httpd_sys_content_t "/var/www/html/%s(/.*)?"' %sepath)
run('restorecon -R -v /var/www/html/%s' %sepath)
postconf.msgbox('SELinux correctly configured for Nginx reverse proxy')
server_config = waptserver.config.load_config(options.configfile)
if os.path.isfile(options.configfile):
print('making a backup copy of the configuration file')
datetime_now = datetime.datetime.now()
shutil.copyfile(options.configfile,'%s.bck_%s'% (options.configfile,datetime_now.isoformat()) )
wapt_folder = server_config['wapt_folder']
# add secret key initialisation string (for session token)
if not server_config['secret_key']:
server_config['secret_key'] = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _ in range(64))
# add user db and password in ini file
if server_config['db_host'] in (None,'','localhost','127.0.0.1','::1'):
ensure_postgresql_db(db_name=server_config['db_name'],db_owner=server_config['db_name'],db_password=server_config['db_password'])
# Password setup/reset screen
if not server_config['wapt_password'] or \
postconf.yesno("Do you want to reset admin password ?",yes_label='skip',no_label='reset') != postconf.DIALOG_OK:
wapt_password_ok = False
while not wapt_password_ok:
wapt_password = ''
wapt_password_check = ''
while wapt_password == '':
(code,wapt_password) = postconf.passwordbox("Please enter the wapt server password (min. 10 characters): ", insecure=True,width=100)
if code != postconf.DIALOG_OK:
exit(0)
while wapt_password_check == '':
(code,wapt_password_check) = postconf.passwordbox("Please enter the wapt server password again: ", insecure=True,width=100)
if code != postconf.DIALOG_OK:
exit(0)
if wapt_password != wapt_password_check:
postconf.msgbox('Password mismatch !')
elif len(wapt_password) < 10:
postconf.msgbox('Password must be at least 10 characters long !')
else:
wapt_password_ok = True
password = pbkdf2_sha256.hash(wapt_password.encode('utf8'))
server_config['wapt_password'] = password
if not server_config['server_uuid']:
server_config['server_uuid'] = str(uuid.uuid1())
# waptagent authentication method
choices = [
("1","Allow unauthenticated registration, same behavior as wapt 1.3", True),
("2","Enable kerberos authentication required for machines registration", False),
("3","Disable Kerberos but registration require strong authentication", False),
]
code, t = postconf.radiolist("WaptAgent Authentication type?", choices=choices,width=120)
if code=='cancel':
print("\n\npostconfiguration canceled\n\n")
sys.exit(1)
if t=="1":
server_config['allow_unauthenticated_registration'] = True
server_config['use_kerberos'] = False
if t=="2":
server_config['allow_unauthenticated_registration'] = False
server_config['use_kerberos'] = True
if t=="3":
server_config['allow_unauthenticated_registration'] = False
server_config['use_kerberos'] = False
waptserver.config.write_config_file(cfgfile=options.configfile,server_config=server_config,non_default_values_only=True)
run("/bin/chmod 640 %s" % options.configfile)
run("/bin/chown wapt %s" % options.configfile)
repo = WaptLocalRepo(wapt_folder)
repo.update_packages_index(force_all=True)
final_msg = ['Postconfiguration completed.',]
postconf.msgbox("Press ok to start waptserver and wapttasks daemons")
enable_waptserver()
start_waptserver()
# In this new version Apache is replaced with Nginx? Proceed to disable Apache. After migration one can remove Apache install altogether
try:
run_verbose('systemctl stop %s' % APACHE_SVC)
except:
pass
try:
run_verbose('systemctl disable %s' % APACHE_SVC)
except:
pass
# nginx configuration dialog
reply = postconf.yesno("Do you want to configure nginx?")
if reply == postconf.DIALOG_OK:
try:
fqdn = socket.getfqdn()
if not fqdn:
fqdn = 'wapt'
if '.' not in fqdn:
fqdn += '.lan'
msg = 'FQDN for the WAPT server (eg. wapt.acme.com)'
(code, reply) = postconf.inputbox(text=msg, width=len(msg)+4, init=fqdn)
if code != postconf.DIALOG_OK:
exit(1)
else:
fqdn = reply
dh_filename = '/etc/ssl/certs/dhparam.pem'
if not os.path.exists(dh_filename):
run_verbose('openssl dhparam -out %s 2048' % dh_filename)
os.chown(dh_filename, 0, NGINX_GID) #pylint: disable=no-member
os.chmod(dh_filename, 0o640) #pylint: disable=no-member
# cleanup of nginx.conf file
with open('/etc/nginx/nginx.conf','r') as read_conf:
nginx_conf = nginxparser.load(read_conf)
nginx_conf = nginx_set_worker_limit(nginx_conf)
nginx_conf = nginx_clean_default_vhost(nginx_conf)
with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file:
nginx_conf_file.write(nginxparser.dumps(nginx_conf))
if server_config['use_kerberos']:
if type_debian():
if not check_if_deb_installed('libnginx-mod-http-auth-spnego'):
print('missing dependency libnginx-mod-http-auth-spnego, please install first before configuring kerberos')
sys.exit(1)
make_httpd_config(wapt_folder, '/opt/wapt/waptserver', fqdn, server_config['use_kerberos'], options.force_https,server_config['waptserver_port'])
final_msg.append('Please connect to https://' + fqdn + '/ to access the server.')
postconf.msgbox("The Nginx config is done. We need to restart Nginx?")
run_verbose('systemctl enable nginx')
run_verbose('systemctl restart nginx')
setup_firewall()
except subprocess.CalledProcessError as cpe:
final_msg += [
'Error while trying to configure Nginx!',
'errno = ' + str(cpe.returncode) + ', output: ' + cpe.output
]
except Exception as e:
import traceback
final_msg += [
'Error while trying to configure Nginx!',
traceback.format_exc()
]
if check_mongo2pgsql_upgrade_needed(options.configfile) and\
postconf.yesno("It is necessary to migrate current database backend from mongodb to postgres. Press yes to start migration",no_label='cancel') == postconf.DIALOG_OK:
upgrade2postgres(options.configfile)
width = 4 + max(10, len(max(final_msg, key=len)))
height = 2 + max(20, len(final_msg))
postconf.msgbox('\n'.join(final_msg), height=height, width=width)
additional[-1][-1].append(location)
return additional
def add_locations(config, additional):
for conf in additional[0][1]:
config[1][-1].append(conf)
return config
if __name__ == "__main__":
args = parse_args()
config_path = os.path.join(args.root, "nginx.conf")
additional_path = os.path.join(args.root, "nginx_additional")
if not os.path.isfile(additional_path):
with open(additional_path, 'w') as f:
f.write('server { }')
config = load(open(config_path))
additional = load(open(additional_path))
if args.folder:
additional = serve_folder(additional, args.persistent, args.folder)
dump(additional, open(additional_path, 'w'))
if args.reload:
config = add_locations(config, additional)
dump(config, open(config_path, 'w'))
def getProjectInfo(file_path):
print file_path
print load(open(file_path, "r"))
def main():
global wapt_folder, MONGO_SVC, APACHE_SVC, NGINX_GID
parser = OptionParser(usage=usage, version='waptserver.py ' + __version__)
parser.add_option(
"-k",
"--use-kerberos",
dest="use_kerberos",
default=False,
action='store_true',
help="Use kerberos for host registration (default: False)")
parser.add_option(
"-s",
"--force-https",
dest="force_https",
default=False,
action='store_true',
help=
"Use https only, http is 301 redirected to https (default: False). Requires a proper DNS name"
)
(options, args) = parser.parse_args()
if postconf.yesno("Do you want to launch post configuration tool ?"
) != postconf.DIALOG_OK:
print "canceling wapt postconfiguration"
sys.exit(1)
# TODO : check if it a new install or an upgrade (upgrade from mongodb to postgresql)
if type_redhat():
if re.match('^SELinux status:.*enabled',
subprocess.check_output('sestatus')):
postconf.msgbox('SELinux detected, tweaking httpd permissions.')
run('setsebool -P httpd_can_network_connect 1')
run('setsebool -P httpd_setrlimit on')
for sepath in ('wapt', 'wapt-host', 'wapt-hostref'):
run('semanage fcontext -a -t httpd_sys_content_t "/var/www/html/%s(/.*)?"'
% sepath)
run('restorecon -R -v /var/www/html/%s' % sepath)
postconf.msgbox(
'SELinux correctly configured for Nginx reverse proxy')
if not os.path.isfile('/opt/wapt/conf/waptserver.ini'):
shutil.copyfile('/opt/wapt/waptserver/waptserver.ini.template',
'/opt/wapt/conf/waptserver.ini')
else:
print('making a backup copy of the configuration file')
datetime_now = datetime.datetime.now()
shutil.copyfile(
'/opt/wapt/conf/waptserver.ini',
'/opt/wapt/conf/waptserver.ini.bck_%s' % datetime_now.isoformat())
waptserver_ini = iniparse.RawConfigParser()
waptserver_ini.readfp(file('/opt/wapt/conf/waptserver.ini', 'rU'))
if waptserver_ini.has_section('uwsgi'):
print('Remove uwsgi options, not used anymore')
waptserver_ini.remove_section('uwsgi')
# add secret key initialisation string (for session token)
if not waptserver_ini.has_option('options', 'secret_key'):
waptserver_ini.set(
'options', 'secret_key', ''.join(
random.SystemRandom().choice(string.letters + string.digits)
for _ in range(64)))
# add user db and password in ini file
ensure_postgresql_db()
print("create database schema")
run(" sudo -u wapt python /opt/wapt/waptserver/waptserver_model.py init_db "
)
mongo_update_status = check_mongo2pgsql_upgrade_needed(waptserver_ini)
if mongo_update_status == 0:
print("already running postgresql, trying to upgrade structure")
run("sudo -u wapt python /opt/wapt/waptserver/waptserver_upgrade.py upgrade_structure"
)
elif mongo_update_status == 1:
print(
"need to upgrade from mongodb to postgres, please launch python /opt/wapt/waptserver/waptserver_upgrade.py upgrade2postgres"
)
sys.exit(1)
elif mongo_update_status == 2:
print("something not normal please check your installation first")
sys.exit(1)
if os.path.isdir(wapt_folder):
waptserver_ini.set('options', 'wapt_folder', wapt_folder)
else:
# for install on windows
# keep in sync with waptserver.py
wapt_folder = os.path.join(wapt_root_dir, 'waptserver', 'repository',
'wapt')
# if os.path.exists(os.path.join(wapt_root_dir, 'waptserver', 'wsus.py')):
# waptserver_ini.set('uwsgi', 'attach-daemon', '/usr/bin/python /opt/wapt/waptserver/wapthuey.py wsus.huey')
if not waptserver_ini.has_option('options', 'wapt_password') or \
not waptserver_ini.get('options', 'wapt_password') or \
postconf.yesno("Do you want to reset admin password ?",yes_label='skip',no_label='reset') != postconf.DIALOG_OK:
wapt_password_ok = False
while not wapt_password_ok:
wapt_password = ''
wapt_password_check = ''
while wapt_password == '':
(code, wapt_password) = postconf.passwordbox(
"Please enter the wapt server password: "******"Please enter the wapt server password again: ",
insecure=True)
if code != postconf.DIALOG_OK:
exit(0)
if wapt_password != wapt_password_check:
postconf.msgbox('Password mismatch!')
else:
wapt_password_ok = True
password = pbkdf2_sha256.hash(wapt_password.encode('utf8'))
waptserver_ini.set('options', 'wapt_password', password)
if not waptserver_ini.has_option('options', 'server_uuid'):
waptserver_ini.set('options', 'server_uuid', str(uuid.uuid1()))
if options.use_kerberos:
waptserver_ini.set('options', 'use_kerberos', 'True')
else:
waptserver_ini.set('options', 'use_kerberos', 'False')
with open('/opt/wapt/conf/waptserver.ini', 'w') as inifile:
run("/bin/chmod 640 /opt/wapt/conf/waptserver.ini")
run("/bin/chown wapt /opt/wapt/conf/waptserver.ini")
waptserver_ini.write(inifile)
# TODO : remove mongodb lines that are commented out
run('python /opt/wapt/wapt-scanpackages.py %s ' % wapt_folder)
final_msg = [
'Postconfiguration completed.',
]
postconf.msgbox("Press ok to start waptserver")
enable_waptserver()
start_waptserver()
# In this new version Apache is replaced with Nginx? Proceed to disable Apache. After migration one can remove Apache install altogether
try:
print(
subprocess.check_output('systemctl stop %s' % APACHE_SVC,
shell=True))
except:
pass
try:
print(
subprocess.check_output('systemctl disable %s' % APACHE_SVC,
shell=True))
except:
pass
reply = postconf.yesno("Do you want to configure nginx?")
if reply == postconf.DIALOG_OK:
try:
fqdn = socket.getfqdn()
if not fqdn:
fqdn = 'wapt'
if '.' not in fqdn:
fqdn += '.lan'
msg = 'FQDN for the WAPT server (eg. wapt.acme.com)'
(code, reply) = postconf.inputbox(text=msg,
width=len(msg) + 4,
init=fqdn)
if code != postconf.DIALOG_OK:
exit(1)
else:
fqdn = reply
dh_filename = '/etc/ssl/certs/dhparam.pem'
if not os.path.exists(dh_filename):
print(
subprocess.check_output('openssl dhparam -out %s 2048' %
dh_filename,
shell=True))
os.chown(dh_filename, 0, NGINX_GID)
os.chmod(dh_filename, 0o640)
# cleanup of nginx.conf file
with open('/etc/nginx/nginx.conf', 'r') as read_conf:
nginx_conf = nginxparser.load(read_conf)
nginx_conf = nginx_set_worker_limit(nginx_conf)
nginx_conf = nginx_clean_default_vhost(nginx_conf)
with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file:
nginx_conf_file.write(nginxparser.dumps(nginx_conf))
if options.use_kerberos:
if type_debian():
if not check_if_deb_installed(
'libnginx-mod-http-auth-spnego'):
print(
'missing dependency libnginx-mod-http-auth-spnego, please install first before configuring kerberos'
)
sys.exit(1)
elif type_redhat():
import yum
yb = yum.YumBase()
yb.conf.cache = os.geteuid() != 1
pkgs = yb.rpmdb.returnPackages()
found = False
for pkg in pkgs:
if pkg.name == 'nginx-mod-http-auth-spnego':
found = True
if found == False:
print(
'missing dependency nginx-mod-http-auth-spnego, please install first before configuring kerberos'
)
sys.exit(1)
make_httpd_config(wapt_folder, '/opt/wapt/waptserver', fqdn,
options.use_kerberos, options.force_https)
final_msg.append('Please connect to https://' + fqdn +
'/ to access the server.')
postconf.msgbox(
"The Nginx config is done. We need to restart Nginx?")
print(subprocess.check_output('systemctl enable nginx',
shell=True))
print(
subprocess.check_output('systemctl restart nginx', shell=True))
setup_firewall()
except subprocess.CalledProcessError as cpe:
final_msg += [
'Error while trying to configure Nginx!',
'errno = ' + str(cpe.returncode) + ', output: ' + cpe.output
]
except Exception as e:
import traceback
final_msg += [
'Error while trying to configure Nginx!',
traceback.format_exc()
]
width = 4 + max(10, len(max(final_msg, key=len)))
height = 2 + max(20, len(final_msg))
postconf.msgbox('\n'.join(final_msg), height=height, width=width)
found = True
print 'pyparsing is installed...'
except ImportError:
found = False
print 'pyparsing is not installed...'
print 'Installing now...'
owd = os.getcwd()
os.system('sudo git clone https://github.com/saikounonou5/pymods.git')
os.chdir('/pymods')
os.system('sudo rpm -ivh pyparsing-*.rpm')
os.chdir(owd)
from nginxparser import load,dump,dumps
import pyparsing
#Configure root and listener in nginx.config
j= load(open('/etc/nginx/nginx.conf'))
count=0
#Loop down to server config vars
for line in j:
for l in line:
for v in l:
for g in v:
for t in g:
if 'listen' in t:
if t[1] != '8000 default_server' and count == 0:
t[0]= 'listen'
t[1]= '8000 default_server'
print 'Listener port set to 8000'
count+=1
else:
[['root', persistence]]])
additional[-1][-1].append(location)
return additional
def add_locations(config, additional):
for conf in additional[0][1]:
config[1][-1].append(conf)
return config
if __name__ == "__main__":
args = parse_args()
config_path = os.path.join(args.root, "nginx.conf")
additional_path = os.path.join(args.root, "nginx_additional")
if not os.path.isfile(additional_path):
with open(additional_path, 'w') as f:
f.write('server { }')
config = load(open(config_path))
additional = load(open(additional_path))
if args.folder:
additional = serve_folder(additional, args.persistent, args.folder)
dump(additional, open(additional_path, 'w'))
if args.reload:
config = add_locations(config, additional)
dump(config, open(config_path, 'w'))
def __init__(self, path, options):
Config.__init__(self, path, options)
with open(path, 'r') as f:
self.config = nginxparser.load(f)
def test_parse_from_file(self):
parsed = load(open("/etc/nginx/sites-enabled/foo.conf"))
self.assertEqual(parsed,
[[['server'],
[['listen', '80'], ['server_name', 'foo.com'],
['root', '/home/ubuntu/sites/foo/']]]])
