def validate_environment(self):
if not pathutil.is_absolute_path(self.basedir):
raise IncompatibleEnvironment(
"Base directory setting is not absolute")
pathutil.ensure_dir_exists(self.basedir, "base")
pathutil.ensure_dir_exists(self.gtdir, "GT container")
# check that we have some java
javautil.check(self.basedir, log)
def validate_environment(self):
if not pathutil.is_absolute_path(self.basedir):
raise IncompatibleEnvironment(
"Base directory setting is not absolute")
pathutil.ensure_dir_exists(self.basedir, "base")
pathutil.ensure_dir_exists(self.gtdir, "GT container")
# check that we have some java
javautil.check(self.basedir, log)
def run(basedir, cadir, certconf, keyconf, hostnameconf, log):
log.debug("Forcing a CA/hostcert install")
# Reject relative paths
if not pathutil.is_absolute_path(cadir):
raise IncompatibleEnvironment("CA directory path is not absolute")
if not pathutil.is_absolute_path(certconf):
raise IncompatibleEnvironment("certificate path is not absolute")
if not pathutil.is_absolute_path(keyconf):
raise IncompatibleEnvironment("key path is not absolute")
# The CA dir must not exist, create that first.
autoca.createCA(pathutil.uuidgen(), basedir, cadir, log)
print "Created auto CA: %s" % cadir
# The configured certificate and key must not exist; create them.
autoca.createCert(hostnameconf, basedir, cadir, certconf, keyconf, log)
print "\nCreated hostcert: %s" % certconf
print "Created hostkey: %s\n" % keyconf
def run(basedir, cadir, certconf, keyconf, hostnameconf, log):
log.debug("Forcing a CA/hostcert install")
# Reject relative paths
if not pathutil.is_absolute_path(cadir):
raise IncompatibleEnvironment("CA directory path is not absolute")
if not pathutil.is_absolute_path(certconf):
raise IncompatibleEnvironment("certificate path is not absolute")
if not pathutil.is_absolute_path(keyconf):
raise IncompatibleEnvironment("key path is not absolute")
# The CA dir must not exist, create that first.
autoca.createCA(pathutil.uuidgen(), basedir, cadir, log)
print "Created auto CA: %s" % cadir
# The configured certificate and key must not exist; create them.
autoca.createCert(hostnameconf, basedir, cadir, certconf, keyconf, log)
print "\nCreated hostcert: %s" % certconf
print "Created hostkey: %s\n" % keyconf
def adjust_gridmap_file(gridmap, basedir, gtdir, log):
if not pathutil.is_absolute_path(gridmap):
raise IncompatibleEnvironment("gridmap path must be absolute")
pathutil.ensure_file_exists(gridmap, "gridmap")
secdesc = get_secdesc_path(gtdir)
pathutil.ensure_file_exists(secdesc, "container security settings")
args = [gridmap, secdesc]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_NEW_GRIDMAPFILE,
args=args)
runutil.generic_bailout("Problem setting new gridmap file location",
exitcode, stdout, stderr)
log.debug("Adjusted GT container gridmap file to %s" % gridmap)
def adjust_gridmap_file(gridmap, basedir, gtdir, log):
if not pathutil.is_absolute_path(gridmap):
raise IncompatibleEnvironment("gridmap path must be absolute")
pathutil.ensure_file_exists(gridmap, "gridmap")
secdesc = get_secdesc_path(gtdir)
pathutil.ensure_file_exists(secdesc, "container security settings")
args = [gridmap, secdesc]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_NEW_GRIDMAPFILE,
args=args)
runutil.generic_bailout("Problem setting new gridmap file location",
exitcode, stdout, stderr)
log.debug("Adjusted GT container gridmap file to %s" % gridmap)
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None):
log.debug("Checking SSL")
# If the configurations themselves are missing, we cannot continue.
if not certconf:
raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
if not keyconf:
raise IncompatibleEnvironment("There is no 'ssl.key' configuration")
# If the configurations are relative, they are assumed to be relative from
# the base directory.
if not pathutil.is_absolute_path(certconf):
certconf = pathutil.pathjoin(basedir, certconf)
log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
if not pathutil.is_absolute_path(keyconf):
keyconf = pathutil.pathjoin(basedir, keyconf)
log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)
# If the configured certificate exists, check the key permissions, then
# exit.
missingcert = None
missingkey = None
if not pathutil.check_path_exists(certconf):
missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf
if not pathutil.check_path_exists(keyconf):
missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf
if not missingcert and not missingkey:
log.debug("cert and key confs exist already, checking key perms")
# check key permission
if pathutil.is_path_private(keyconf):
log.debug("key is owner-read only: %s" % keyconf)
else:
print >>sys.stderr, "***"
print >>sys.stderr, "*** WARNING ***"
print >>sys.stderr, "***"
print >>sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf
return
# If only one of the cert/key files exists, we cannot reason about
# what to do: error.
prefix = "Only one of the SSL cert/key file exists, cannot continue. "
if missingcert and not missingkey:
raise IncompatibleEnvironment(prefix + missingcert)
if missingkey and not missingcert:
raise IncompatibleEnvironment(prefix + missingkey)
# The configured certificate and key do not exist; create them.
print "Cannot find configured certificate and key for HTTPS, creating these for you."
# If the internal CA does not exist, create that first.
if not cadir:
cadir = pathutil.pathjoin(basedir, "var/ca")
if not pathutil.check_path_exists(cadir):
print "\nCannot find internal CA, creating this for you.\n"
print "Please pick a unique, one word CA name or hit return to use a UUID.\n"
print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n"
ca_name = raw_input("Enter a name: ")
if not ca_name:
ca_name = pathutil.uuidgen()
print "You did not enter a name, using '%s'" % ca_name
else:
ca_name = ca_name.split()[0]
print "Using '%s'" % ca_name
autoca.createCA(ca_name, basedir, cadir, log)
print "\nCreated internal CA: %s" % cadir
if not hostname:
print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n"
hostname = raw_input("Hostname: ")
if not hostname:
hostname = "localhost"
print "Using '%s'" % hostname
autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log)
print "\nCreated certificate: %s" % certconf
print "Created key: %s\n" % keyconf
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None):
log.debug("Checking SSL")
# If the configurations themselves are missing, we cannot continue.
if not certconf:
raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
if not keyconf:
raise IncompatibleEnvironment("There is no 'ssl.key' configuration")
# If the configurations are relative, they are assumed to be relative from
# the base directory.
if not pathutil.is_absolute_path(certconf):
certconf = pathutil.pathjoin(basedir, certconf)
log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
if not pathutil.is_absolute_path(keyconf):
keyconf = pathutil.pathjoin(basedir, keyconf)
log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)
# If the configured certificate exists, check the key permissions, then
# exit.
missingcert = None
missingkey = None
if not pathutil.check_path_exists(certconf):
missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf
if not pathutil.check_path_exists(keyconf):
missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf
if not missingcert and not missingkey:
log.debug("cert and key confs exist already, checking key perms")
# check key permission
if pathutil.is_path_private(keyconf):
log.debug("key is owner-read only: %s" % keyconf)
else:
print >> sys.stderr, "***"
print >> sys.stderr, "*** WARNING ***"
print >> sys.stderr, "***"
print >> sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf
return
# If only one of the cert/key files exists, we cannot reason about
# what to do: error.
prefix = "Only one of the SSL cert/key file exists, cannot continue. "
if missingcert and not missingkey:
raise IncompatibleEnvironment(prefix + missingcert)
if missingkey and not missingcert:
raise IncompatibleEnvironment(prefix + missingkey)
# The configured certificate and key do not exist; create them.
print "Cannot find configured certificate and key for HTTPS, creating these for you."
# If the internal CA does not exist, create that first.
if not cadir:
cadir = pathutil.pathjoin(basedir, "var/ca")
if not pathutil.check_path_exists(cadir):
print "\nCannot find internal CA, creating this for you.\n"
print "Please pick a unique, one word CA name or hit return to use a UUID.\n"
print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n"
ca_name = raw_input("Enter a name: ")
if not ca_name:
ca_name = pathutil.uuidgen()
print "You did not enter a name, using '%s'" % ca_name
else:
ca_name = ca_name.split()[0]
print "Using '%s'" % ca_name
autoca.createCA(ca_name, basedir, cadir, log)
print "\nCreated internal CA: %s" % cadir
if not hostname:
print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n"
hostname = raw_input("Hostname: ")
if not hostname:
hostname = "localhost"
print "Using '%s'" % hostname
autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log)
print "\nCreated certificate: %s" % certconf
print "Created key: %s\n" % keyconf
def main(argv=None):
if os.name != 'posix':
print >>sys.stderr, "Only runs on POSIX systems."
return 3
parser = parsersetup()
if argv:
(opts, args) = parser.parse_args(argv[1:])
else:
(opts, args) = parser.parse_args()
global log
log = None
printdebugoutput = False
try:
# 1. Intake args and confs
validateargs(opts)
config = getconfig(filepath=opts.configpath)
# 2. Setup logging
confdebug = config.get("nimbusweb", "debug")
if confdebug == "on":
printdebugoutput = True
elif opts.debug:
printdebugoutput = True
if printdebugoutput:
configureLogging(logging.DEBUG)
else:
configureLogging(logging.INFO)
# 3. Dump settings
basedir = opts.basedir
log.debug("base directory: %s" % basedir)
insecuremode = opts.insecuremode
if insecuremode:
log.debug("**** This is insecure developer mode ****")
else:
log.debug("secure mode")
certconf = config_from_key(config, "ssl.cert")
keyconf = config_from_key(config, "ssl.key")
cadir = config_from_key(config, "ca.dir")
timezone = config_from_key(config, "timezone")
port = config_from_key(config, "webserver.port")
host = config_from_key(config, "webserver.host")
printurl = config_from_key(config, "print.url")
accountprompt = config_from_key(config, "account.prompt")
expire_hours = config_from_key(config, "token.expire_hours")
try:
expire_hours = int(expire_hours)
except:
raise InvalidConfig("invalid token.expire_hours setting, not an integer?")
# 4. Validate base directory
if not pathutil.is_absolute_path(basedir):
raise IncompatibleEnvironment("Base directory setting is not absolute, have you been altering the stanadalone launch code?")
pathutil.ensure_dir_exists(basedir, "base", ": have you been altering the stanadalone launch code?")
# 5. Run one subcommand
if opts.checkssl:
checkssl.run(basedir, certconf, keyconf, log)
if opts.newconf:
newconf.run(basedir, timezone, accountprompt, log,
printdebugoutput, insecuremode, printurl, expire_hours,
cadir)
if opts.printport:
if not port:
raise IncompatibleEnvironment("There is no 'webserver.port' configuration")
try:
port = int(port)
except:
raise IncompatibleEnvironment("'webserver.port' configuration is not an integer?")
print port
if opts.printhost:
if not host:
raise IncompatibleEnvironment("There is no 'webserver.host' configuration")
print host
if opts.printcertpath:
if not certconf:
raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
if not pathutil.is_absolute_path(certconf):
certconf = pathutil.pathjoin(basedir, certconf)
log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
print certconf
if opts.printkeypath:
if not keyconf:
raise IncompatibleEnvironment("There is no 'ssl.key' configuration")
if not pathutil.is_absolute_path(keyconf):
keyconf = pathutil.pathjoin(basedir, keyconf)
log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)
print keyconf
if opts.forcenewssl:
forcessl.run(basedir, opts.forcecapath, opts.forcecertpath,
opts.forcekeypath, opts.forcehostname, log)
except InvalidInput, e:
msg = "\nProblem with input: %s" % e.msg
print >>sys.stderr, msg
return 1
def main(argv=None):
if os.name != 'posix':
print >> sys.stderr, "Only runs on POSIX systems."
return 3
parser = parsersetup()
if argv:
(opts, args) = parser.parse_args(argv[1:])
else:
(opts, args) = parser.parse_args()
global log
log = None
printdebugoutput = False
try:
# 1. Intake args and confs
validateargs(opts)
config = getconfig(filepath=opts.configpath)
# 2. Setup logging
confdebug = config.get("nimbusweb", "debug")
if confdebug == "on":
printdebugoutput = True
elif opts.debug:
printdebugoutput = True
if printdebugoutput:
configureLogging(logging.DEBUG)
else:
configureLogging(logging.INFO)
# 3. Dump settings
basedir = opts.basedir
log.debug("base directory: %s" % basedir)
insecuremode = opts.insecuremode
if insecuremode:
log.debug("**** This is insecure developer mode ****")
else:
log.debug("secure mode")
certconf = config_from_key(config, "ssl.cert")
keyconf = config_from_key(config, "ssl.key")
cadir = config_from_key(config, "ca.dir")
timezone = config_from_key(config, "timezone")
port = config_from_key(config, "webserver.port")
host = config_from_key(config, "webserver.host")
printurl = config_from_key(config, "print.url")
accountprompt = config_from_key(config, "account.prompt")
expire_hours = config_from_key(config, "token.expire_hours")
try:
expire_hours = int(expire_hours)
except:
raise InvalidConfig(
"invalid token.expire_hours setting, not an integer?")
# 4. Validate base directory
if not pathutil.is_absolute_path(basedir):
raise IncompatibleEnvironment(
"Base directory setting is not absolute, have you been altering the stanadalone launch code?"
)
pathutil.ensure_dir_exists(
basedir, "base",
": have you been altering the stanadalone launch code?")
# 5. Run one subcommand
if opts.checkssl:
checkssl.run(basedir, certconf, keyconf, log)
if opts.newconf:
newconf.run(basedir, timezone, accountprompt, log,
printdebugoutput, insecuremode, printurl, expire_hours,
cadir)
if opts.printport:
if not port:
raise IncompatibleEnvironment(
"There is no 'webserver.port' configuration")
try:
port = int(port)
except:
raise IncompatibleEnvironment(
"'webserver.port' configuration is not an integer?")
print port
if opts.printhost:
if not host:
raise IncompatibleEnvironment(
"There is no 'webserver.host' configuration")
print host
if opts.printcertpath:
if not certconf:
raise IncompatibleEnvironment(
"There is no 'ssl.cert' configuration")
if not pathutil.is_absolute_path(certconf):
certconf = pathutil.pathjoin(basedir, certconf)
log.debug("ssl.cert was a relative path, converted to '%s'" %
certconf)
print certconf
if opts.printkeypath:
if not keyconf:
raise IncompatibleEnvironment(
"There is no 'ssl.key' configuration")
if not pathutil.is_absolute_path(keyconf):
keyconf = pathutil.pathjoin(basedir, keyconf)
log.debug("ssl.key was a relative path, converted to '%s'" %
keyconf)
print keyconf
if opts.forcenewssl:
forcessl.run(basedir, opts.forcecapath, opts.forcecertpath,
opts.forcekeypath, opts.forcehostname, log)
except InvalidInput, e:
msg = "\nProblem with input: %s" % e.msg
print >> sys.stderr, msg
return 1
