def test_run(self): # Note: this is a top-level integration tests and writes to the filesystem flexmock(sslify).should_receive('get_nginx_config_from_freewheelers') open('project.conf', 'w').write(open("test_data_twu54team1qa.config", 'r').read()) # create a fake local file flexmock(sslify).should_receive('scp_output_to_server') flexmock(sslify).should_receive( 'move_remote_tmp_nginx_config_to_real_location') flexmock(sslify).should_receive('restart_nginx') flexmock(sslify).should_receive('request_cert') flexmock(sslify).should_receive('scp_output_to_server') flexmock(sslify).should_receive( 'move_remote_tmp_nginx_config_to_real_location') flexmock(sslify).should_receive('restart_nginx') sslify.run(self.good_args_54_1_qa()) file_with_final_results = "out2.conf" amended_data = nginxparser.load(open(file_with_final_results)) assert amended_data != nginxparser.load( open("test_data_twu54team1qa.config", 'r')) assert nginxparser.load(open( file_with_final_results)) == self.expected_full_amended_data()
def test_add_https_redirect(self): existing_config = nginxparser.load( open("test_data_twu54team1qa_with_known_host.config")) with_https_redirect = sslify.add_https_redirect( self.qa_team1_term54_config(), existing_config) expected = nginxparser.load( open("test_data_twu54team1qa_with_known_host_and_redirect.config")) assert with_https_redirect == expected
def ensure_nginxparser_instance(conf_file): # type: (str) -> [[[str]]] if isinstance(conf_file, list): return conf_file elif hasattr(conf_file, "read"): return load(conf_file) elif path.isfile(conf_file): with open(conf_file, "rt") as f: return load(f) else: return loads(conf_file)
def nginx_cleanup(): with open('/etc/nginx/nginx.conf','r') as read_conf: nginx_conf = nginxparser.load(read_conf) nginx_conf = nginx_set_worker_limit(nginx_conf) nginx_conf = nginx_clean_default_vhost(nginx_conf) with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file: nginx_conf_file.write(nginxparser.dumps(nginx_conf))
def test_parse_from_file(self): parsed = load(open("/etc/nginx/sites-enabled/foo.conf")) self.assertEqual(parsed, [ [['server'], [ ['listen', '80'], ['server_name', 'foo.com'], ['root', '/home/ubuntu/sites/foo/']]]])
def remove_ips_from_nginx_upstream_conf(ips): """Remove ips from nginx upstream config""" nginx_conf = load(open(NGINX_CONFIG_PATH)) upstream_line_idx = get_upstream_line_idx(nginx_conf) for ip in ips: nginx_conf[upstream_line_idx][1].remove(["server", ip]) dump(nginx_conf, open(NGINX_CONFIG_PATH, "w"))
def nginx_cleanup(): with open('/etc/nginx/nginx.conf', 'r') as read_conf: nginx_conf = nginxparser.load(read_conf) nginx_conf = nginx_set_worker_limit(nginx_conf) nginx_conf = nginx_clean_default_vhost(nginx_conf) with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file: nginx_conf_file.write(nginxparser.dumps(nginx_conf))
def add_ips_to_nginx_upstream_conf(ips): """Add new ips to nginx upstream config""" nginx_conf = load(open(NGINX_CONFIG_PATH)) upstream_line_idx = get_upstream_line_idx(nginx_conf) for ip in ips: nginx_conf[upstream_line_idx][1].insert(1, ["server", ip]) dump(nginx_conf, open(NGINX_CONFIG_PATH, "w"))
def test_parse_if_condation(self): parsed = load(open("/etc/nginx/sites-enabled/if_condation.conf")) print parsed self.assertEqual( parsed, [[['server'], [[['if', '( $request_method !~ ^(GET|POST|HEAD)$ ) ', ''], [['return', '403']]]]]])
def get_upstream_ips(): """ Nginx parser for upstream ips for nginx conf file structure as in nginx/load_balancer.conf file """ nginx_conf = load(open(NGINX_CONFIG_PATH)) upstream_conf = [elem for elem in nginx_conf if elem[0][0] == 'upstream'][0] upstream_ips = [elem[1] for elem in upstream_conf[1][1:]] return upstream_ips
def change_weights(wait_time): signal.signal(signal.SIGINT, signal_handler) # getting the file config = ng.load(open("/etc/nginx/nginx.conf")) # getting the weights http = [] http.extend(config[-1][1]) upstreams = {} for item in http: if len(item) > 1 and isinstance(item[0], list): if item[0][0] == "upstream": tmp = [] for i in item[1]: if i[0] == "server": tmp.append(i[1].split()) upstreams[item[0][1]] = tmp # changing the weights while (1): for w in POSSIBLE_WEIGHTS: w = list(w) # added print("Running with", w) time.sleep(wait_time) for _, v in upstreams.items(): for i in range(len(v)): # v[i][1] = "weight={}".format(w[i]) # added v[i][1] = "weight={}".format(w.pop()) # formatting weights NEW_VALS = [] for _, v in upstreams.items(): for i in range(len(v)): NEW_VALS.append("{} {}".format(v[i][0], v[i][1])) # putting weights into the http list j = 0 # track which val from NEW_VALS to get for item in http: if len(item) > 1 and isinstance(item[0], list): if item[0][0] == "upstream": tmp = [] for i in item[1]: if i[0] == "server": i[1] = NEW_VALS[j] j += 1 # putting weights into config config[-1][1] = http # write out to the file out = open("/etc/nginx/nginx.conf", 'w') ng.dump(config, out) # restart the nginx process subprocess.call(["nginx", "-s", "reload"])
def get_parsed_remote_conf(conf_name, suffix="nginx", use_sudo=True): # type: (str, str, bool) -> [str] if not conf_name.endswith(".conf") and not exists(conf_name): conf_name += ".conf" # cStringIO.StringIO, StringIO.StringIO, TemporaryFile, SpooledTemporaryFile all failed :( tempfile = mkstemp(suffix)[1] get(remote_path=conf_name, local_path=tempfile, use_sudo=use_sudo) with open(tempfile, "rt") as f: conf = load(f) remove(tempfile) return conf
def test_parse_if_condation(self): parsed = load(open("/etc/nginx/sites-enabled/if_condation.conf")) print parsed self.assertEqual( parsed, [ [['server'], [[ ['if', '( $request_method !~ ^(GET|POST|HEAD)$ ) ', ''], [['return', '403']] ]] ] ] )
def test_parse_from_file(self): parsed = load(open("/etc/nginx/sites-enabled/foo.conf")) self.assertEqual(parsed, [ ['user', 'www-data'], [['server'], [['listen', '80'], ['server_name', 'foo.com'], ['root', '/home/ubuntu/sites/foo/'], [['location', '/status'], [ ['check_status'], [['types'], [['image/jpeg', 'jpg']]], ]]]], ])
def test_parse_from_file(self): parsed = load(open("/etc/nginx/sites-enabled/foo.conf")) self.assertEqual(parsed, [ ['user', 'www-data'], [['server'], [ ['listen', '80'], ['server_name', 'foo.com'], ['root', '/home/ubuntu/sites/foo/'], [['location','/status'], [ ['check_status'], [['types'], [['image/jpeg','jpg']]], ]] ]], ])
def test_issue(): #print 'hi' config = load(open('../stream.conf')) print config[0] print config[1] print config[2] #str_config = dumps(config[2]) print dumps([[['server'], [['listen', '80'], ['server_name', 'foo.com'], ['root', '/home/ubuntu/sites/foo/']]]]) """
def upsert_upload(new_conf, name="default", use_sudo=True): conf_name = "/etc/nginx/sites-enabled/{nginx_conf}".format(nginx_conf=name) if not conf_name.endswith(".conf") and not exists(conf_name): conf_name += ".conf" # cStringIO.StringIO, StringIO.StringIO, TemporaryFile, SpooledTemporaryFile all failed :( tempfile = mkstemp(name)[1] get(remote_path=conf_name, local_path=tempfile, use_sudo=use_sudo) with open(tempfile, "rt") as f: conf = load(f) new_conf = new_conf(conf) remove(tempfile) sio = StringIO() sio.write(dumps(new_conf)) return put(sio, conf_name, use_sudo=use_sudo)
def load_nginx_params_v1(): """ Uses nginxparser module nginx_config : Runtime nginx_config nginx_config_base : config picked from base nginx file """ global g_config #nginx_fp = open(get_nginx_config(), "r") nginx_config = load(open(get_nginx_config())) g_config['nginx_config'] = nginx_config nginx_config_base = load(open(get_tmp_path() + '/stream.conf')) g_config['nginx_config_base'] = nginx_config_base set_nginx_upstream_mqtt_server() ## Assumes stream.conf file in order ## upstream block ## TCP stream block ## TLS stream block g_config['ssl_certificate'] = '/'.join( [os.getcwd(), get_tmp_path() + 'server.crt']) g_config['ssl_certificate_key'] = '/'.join( [os.getcwd(), get_tmp_path() + 'server.key']) g_config['ssl_client_certificate'] = '/'.join( [os.getcwd(), get_tmp_path() + 'client.crt']) g_config['upstream_mqtt_server'] = get_nginx_upstream_mqtt_server() g_config['nginx_config_base'][2][1][2][1] = g_config['ssl_certificate'] g_config['nginx_config_base'][2][1][3][1] = g_config['ssl_certificate_key'] g_config['nginx_config_base'][2][1][10][1] = g_config[ 'ssl_client_certificate'] return
def link_nginx_confs(): import nginxparser nginx_conf = nginxparser.load(open(NGINX_CONF_PATH)) needed_section = None def find_sect(sect, name): for sub_sect in sect: if len(sub_sect) > 0 and len( sub_sect[0]) > 0 and sub_sect[0][0] == name: return sub_sect return None http_sect = find_sect(nginx_conf, 'http')[1] #if http_sect is not None: # server_sect = find_sect(http_sect, 'server') #for section in nginx_conf: # if len(section) > 0 and len(sect[0] > 0) and sect[0][0] == 'http': # needed_section = section #find include includes = [] for field in http_sect: if type(field) is list and (len(field) == 2) and type(field[0]) is str: if field[0] == 'include': includes.append(field) already_included = False for include in includes: if include[1] == KOSAND_INCLUDE_PATH_FOR_NGINX_CONF: already_included = True if not already_included: http_sect.append(['include', KOSAND_INCLUDE_PATH_FOR_NGINX_CONF]) backup_nginx_conf() tmp_nginx_path = '/tmp/kosand_nginx.conf' with open(tmp_nginx_path, 'w') as f: f.write(nginxparser.dumps(nginx_conf) + '\n') arg_tuple = (tmp_nginx_path, NGINX_CONF_PATH, tmp_nginx_path) os.system('sudo cp %s %s; rm %s' % arg_tuple) else: print('NEEDED NGINX CONF FIELD ALREADY FOUND!')
def parse_nginx_conf(ngconf_path): web_paths = [] try: import nginxparser except Exception: pass else: if common.is_linux() and os.path.exists(ngconf_path): for root, dirs, files in os.walk(ngconf_path): for f in files: confs = nginxparser.load(open(os.path.join(root, f))) for conf in confs: for setting in conf[1]: if setting[0] == 'root': web_paths.append(setting[1]) return web_paths
def test_parse_from_file(self): parsed = load(open("/etc/nginx/sites-enabled/foo.conf")) self.assertEqual( parsed, [['user', 'www-data']], [['server'], [ ['listen', '80'], ['server_name', 'foo.com'], ['root', '/home/ubuntu/sites/foo/'], [['location', '/status'], [ ['check_status'], [['types'], [['image/jpeg', 'jpg']]], ]], [['location', '~', 'case_sensitive\.php$']], [['location', '~*', 'case_insensitive\.php$']], [['location', '=', 'exact_match\.php$']], [['location', '^~', 'ignore_regex\.php$']], ]], )
def update_nginx_confs(self): available_domains = self.list_available_certs() filepath = self.settings.basedir + self.settings.domainfile domains = '' if os.path.isfile(filepath): with open(filepath) as f: domains = f.readlines() domains = [x.strip() for x in domains] domains = "\n".join(domains) mysplit = domains.split("\n") # Gets all enabled sites available_nginx_files = self.list_enabled_nginx_confs() for curr_domain in available_domains: for curr_nginx_file in available_nginx_files: logging.debug("## Use Certs: Checking config file - %s ##" % curr_nginx_file) if self.settings.nginx_config in curr_nginx_file: logging.debug("Skipping file: %s" % curr_nginx_file) continue # Path is to the sites_available directory filepath = self.settings.nginx_sites_available + curr_nginx_file if not os.path.isfile(filepath): logging.debug("File not in sites_available directory.. continuing") continue loaded_conf = load(open(filepath)) for servers in loaded_conf: server_conf = servers[1] ssl_true = False listen_position = None server_name_position = None ssl_cert_position = None ssl_cert_key_position = None curr_pos = 0 for lines in server_conf: if isinstance(lines[0], str): if 'server_name' in lines[0] and len(lines) > 1: if server_name_position is not None: logging.debug("There must be more than one server_name_position.. skipping this file because we don't know how to handle it.") print("CONF %s" % loaded_conf) break server_name_position = curr_pos if 'listen' in lines[0] and len(lines) > 1: if listen_position is not None: listen_position = [listen_position] listen_position.append(curr_pos) print("There are multiple listen positions: %s" % listen_position) else: listen_position = curr_pos if 'ssl_certificate' in lines[0] and 'ssl_certificate_key' not in lines[0] and len(lines) > 1: if ssl_cert_position is not None: logging.debug("There must be more than one ssl_certificate.. skipping this file because we don't know how to handle it.") print("CONF %s" % lines[0]) break ssl_cert_position = curr_pos if 'ssl_certificate_key' in lines[0] and len(lines) > 1: if ssl_cert_key_position is not None: logging.debug("There must be more than one ssl_certificate_key.. skipping this file because we don't know how to handle it.") print("CONF %s" % lines[0]) break ssl_cert_key_position = curr_pos curr_pos += 1 if listen_position is not None and server_name_position is not None: logging.debug("We have both listen and server name positions: listen position: %s | server_name_position: %s" % (listen_position, server_name_position)) found_it = False for domain_list_line in mysplit: if found_it is True: break secondsplit = domain_list_line.split(" ") for domains in secondsplit: logging.debug("CHECKING DOMAIN %s with: %s" % (server_conf[server_name_position][1], domains)) if server_conf[server_name_position][1] in domains: logging.debug("found our domain: %s in the list of domains" % server_conf[server_name_position][1]) found_it = True break if found_it is False: logging.debug("Server Config does not have any of our domains with SSL certs in the 'server_name' position.. skipping this config.") continue # Check if SSL is already setup if ssl_cert_key_position is not None and ssl_cert_position is not None: # Check if ports are setup too if isinstance(listen_position, list): already_setup = False for listens in listen_position: if "443" in server_conf[listens][1]: already_setup = True break if already_setup is True: logging.debug("This server is already setup for SSL") continue elif isinstance(listen_position, str): if "443" in server_conf[listens][1]: continue # Lets setup SSL now... logging.debug("Attempting to setup SSL for domain: %s" % curr_domain) # Multiple listen calls.. if isinstance(listen_position, list): already_setup = False for listens in listen_position: if "443" in server_conf[listens][1]: already_setup = True break # Check if ssl port is already set if already_setup is True: logging.debug("Server port already setup for SSL") # 443 not set... set one of the listen calls to 443 else: server_conf[listen_position[0]][1] # ssl port set already if "443 ssl" in server_conf[listen_position[0]][1]: logging.debug("Server port already setup for SSL") # ssl port not set yet.. else: if ":" in server_conf[listen_position[0]][1]: tmp = server_conf[listen_position[0]][1].split(":") if tmp[1]: logging.debug("old port value %s" % server_conf[listen_position[0]][1]) r = re.compile(r"\d{2,5}") tmp[1] = r.sub("443 ssl", tmp[1]) server_conf[listen_position[0]][1] = ':'.join(tmp) logging.debug("new port value: %s" % server_conf[listen_position[0]][1]) else: logging.debug("old port value: %s" % server_conf[listen_position[0]][1]) r = re.compile(r"\d{2,5}") tmp = r.sub("443 ssl", server_conf[listen_position[0]][1]) server_conf[listen_position[0]][1] = tmp logging.debug("new port value: %s" % server_conf[listen_position[0]][1]) # Single listen call.. else: # ssl port set already if "443 ssl" in server_conf[listen_position][1]: logging.debug("Server port already setup for SSL") # ssl port not set yet.. else: if ":" in server_conf[listen_position][1]: tmp = server_conf[listen_position][1].split(":") if tmp[1]: logging.debug("old port value %s" % server_conf[listen_position][1]) r = re.compile(r"\d{2,5}") tmp[1] = r.sub("443 ssl", tmp[1]) server_conf[listen_position][1] = ':'.join(tmp) logging.debug("new port value: %s" % server_conf[listen_position][1]) else: logging.debug("old port value: %s" % server_conf[listen_position][1]) r = re.compile(r"\d{2,5}") tmp = r.sub("443 ssl", server_conf[listen_position][1]) server_conf[listen_position][1] = tmp logging.debug("new port value: %s" % server_conf[listen_position][1]) cert_path = self.settings.basedir + '/certs/' + curr_domain + '/fullchain.pem' cert_key_path = self.settings.basedir + '/certs/' + curr_domain + '/privkey.pem' if ssl_cert_position is None: server_conf.insert(0, ["ssl_certificate", cert_path]) else: server_conf[ssl_cert_position][1] = cert_path if ssl_cert_key_position is None: server_conf.insert(1, ["ssl_certificate_key", cert_key_path]) else: server_conf[ssl_cert_key_position][1] = cert_key_path file = open(filepath,"w") file.write(dumps(loaded_conf)) file.close() logging.debug("## FINISHED WITH SETTING UP NGINX WITH CERTS ##") self.context.notify('info', 'Nginx is now using your valid certs.')
def load_term54team5envqa_with_known_host(self): return nginxparser.load( open("test_data_twu54team1qa_with_known_host.config"))
def load_term54team5envqa(self): return nginxparser.load(open("test_data_twu54team1qa.config"))
def main(): global wapt_folder,NGINX_GID parser = OptionParser(usage=usage, version=__version__) parser.add_option( '-c', '--config', dest='configfile', default=waptserver.config.DEFAULT_CONFIG_FILE, help='Config file full path (default: %default)') parser.add_option( "-s", "--force-https", dest="force_https", default=False, action='store_true', help="Use https only, http is 301 redirected to https (default: False). Requires a proper DNS name") (options, args) = parser.parse_args() if postconf.yesno("Do you want to launch post configuration tool ?") != postconf.DIALOG_OK: print "canceling wapt postconfiguration" sys.exit(1) # TODO : check if it a new install or an upgrade (upgrade from mongodb to postgresql) if type_redhat(): if re.match('^SELinux status:.*enabled', run('sestatus')): postconf.msgbox('SELinux detected, tweaking httpd permissions.') run('setsebool -P httpd_can_network_connect 1') run('setsebool -P httpd_setrlimit on') for sepath in ('wapt','wapt-host'): run('semanage fcontext -a -t httpd_sys_content_t "/var/www/html/%s(/.*)?"' %sepath) run('restorecon -R -v /var/www/html/%s' %sepath) postconf.msgbox('SELinux correctly configured for Nginx reverse proxy') server_config = waptserver.config.load_config(options.configfile) if os.path.isfile(options.configfile): print('making a backup copy of the configuration file') datetime_now = datetime.datetime.now() shutil.copyfile(options.configfile,'%s.bck_%s'% (options.configfile,datetime_now.isoformat()) ) wapt_folder = server_config['wapt_folder'] # add secret key initialisation string (for session token) if not server_config['secret_key']: server_config['secret_key'] = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _ in range(64)) # add user db and password in ini file if server_config['db_host'] in (None,'','localhost','127.0.0.1','::1'): ensure_postgresql_db(db_name=server_config['db_name'],db_owner=server_config['db_name'],db_password=server_config['db_password']) # Password setup/reset screen if not server_config['wapt_password'] or \ postconf.yesno("Do you want to reset admin password ?",yes_label='skip',no_label='reset') != postconf.DIALOG_OK: wapt_password_ok = False while not wapt_password_ok: wapt_password = '' wapt_password_check = '' while wapt_password == '': (code,wapt_password) = postconf.passwordbox("Please enter the wapt server password (min. 10 characters): ", insecure=True,width=100) if code != postconf.DIALOG_OK: exit(0) while wapt_password_check == '': (code,wapt_password_check) = postconf.passwordbox("Please enter the wapt server password again: ", insecure=True,width=100) if code != postconf.DIALOG_OK: exit(0) if wapt_password != wapt_password_check: postconf.msgbox('Password mismatch !') elif len(wapt_password) < 10: postconf.msgbox('Password must be at least 10 characters long !') else: wapt_password_ok = True password = pbkdf2_sha256.hash(wapt_password.encode('utf8')) server_config['wapt_password'] = password if not server_config['server_uuid']: server_config['server_uuid'] = str(uuid.uuid1()) # waptagent authentication method choices = [ ("1","Allow unauthenticated registration, same behavior as wapt 1.3", True), ("2","Enable kerberos authentication required for machines registration", False), ("3","Disable Kerberos but registration require strong authentication", False), ] code, t = postconf.radiolist("WaptAgent Authentication type?", choices=choices,width=120) if code=='cancel': print("\n\npostconfiguration canceled\n\n") sys.exit(1) if t=="1": server_config['allow_unauthenticated_registration'] = True server_config['use_kerberos'] = False if t=="2": server_config['allow_unauthenticated_registration'] = False server_config['use_kerberos'] = True if t=="3": server_config['allow_unauthenticated_registration'] = False server_config['use_kerberos'] = False waptserver.config.write_config_file(cfgfile=options.configfile,server_config=server_config,non_default_values_only=True) run("/bin/chmod 640 %s" % options.configfile) run("/bin/chown wapt %s" % options.configfile) repo = WaptLocalRepo(wapt_folder) repo.update_packages_index(force_all=True) final_msg = ['Postconfiguration completed.',] postconf.msgbox("Press ok to start waptserver and wapttasks daemons") enable_waptserver() start_waptserver() # In this new version Apache is replaced with Nginx? Proceed to disable Apache. After migration one can remove Apache install altogether try: run_verbose('systemctl stop %s' % APACHE_SVC) except: pass try: run_verbose('systemctl disable %s' % APACHE_SVC) except: pass # nginx configuration dialog reply = postconf.yesno("Do you want to configure nginx?") if reply == postconf.DIALOG_OK: try: fqdn = socket.getfqdn() if not fqdn: fqdn = 'wapt' if '.' not in fqdn: fqdn += '.lan' msg = 'FQDN for the WAPT server (eg. wapt.acme.com)' (code, reply) = postconf.inputbox(text=msg, width=len(msg)+4, init=fqdn) if code != postconf.DIALOG_OK: exit(1) else: fqdn = reply dh_filename = '/etc/ssl/certs/dhparam.pem' if not os.path.exists(dh_filename): run_verbose('openssl dhparam -out %s 2048' % dh_filename) os.chown(dh_filename, 0, NGINX_GID) #pylint: disable=no-member os.chmod(dh_filename, 0o640) #pylint: disable=no-member # cleanup of nginx.conf file with open('/etc/nginx/nginx.conf','r') as read_conf: nginx_conf = nginxparser.load(read_conf) nginx_conf = nginx_set_worker_limit(nginx_conf) nginx_conf = nginx_clean_default_vhost(nginx_conf) with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file: nginx_conf_file.write(nginxparser.dumps(nginx_conf)) if server_config['use_kerberos']: if type_debian(): if not check_if_deb_installed('libnginx-mod-http-auth-spnego'): print('missing dependency libnginx-mod-http-auth-spnego, please install first before configuring kerberos') sys.exit(1) make_httpd_config(wapt_folder, '/opt/wapt/waptserver', fqdn, server_config['use_kerberos'], options.force_https,server_config['waptserver_port']) final_msg.append('Please connect to https://' + fqdn + '/ to access the server.') postconf.msgbox("The Nginx config is done. We need to restart Nginx?") run_verbose('systemctl enable nginx') run_verbose('systemctl restart nginx') setup_firewall() except subprocess.CalledProcessError as cpe: final_msg += [ 'Error while trying to configure Nginx!', 'errno = ' + str(cpe.returncode) + ', output: ' + cpe.output ] except Exception as e: import traceback final_msg += [ 'Error while trying to configure Nginx!', traceback.format_exc() ] if check_mongo2pgsql_upgrade_needed(options.configfile) and\ postconf.yesno("It is necessary to migrate current database backend from mongodb to postgres. Press yes to start migration",no_label='cancel') == postconf.DIALOG_OK: upgrade2postgres(options.configfile) width = 4 + max(10, len(max(final_msg, key=len))) height = 2 + max(20, len(final_msg)) postconf.msgbox('\n'.join(final_msg), height=height, width=width)
additional[-1][-1].append(location) return additional def add_locations(config, additional): for conf in additional[0][1]: config[1][-1].append(conf) return config if __name__ == "__main__": args = parse_args() config_path = os.path.join(args.root, "nginx.conf") additional_path = os.path.join(args.root, "nginx_additional") if not os.path.isfile(additional_path): with open(additional_path, 'w') as f: f.write('server { }') config = load(open(config_path)) additional = load(open(additional_path)) if args.folder: additional = serve_folder(additional, args.persistent, args.folder) dump(additional, open(additional_path, 'w')) if args.reload: config = add_locations(config, additional) dump(config, open(config_path, 'w'))
def getProjectInfo(file_path): print file_path print load(open(file_path, "r"))
def main(): global wapt_folder, MONGO_SVC, APACHE_SVC, NGINX_GID parser = OptionParser(usage=usage, version='waptserver.py ' + __version__) parser.add_option( "-k", "--use-kerberos", dest="use_kerberos", default=False, action='store_true', help="Use kerberos for host registration (default: False)") parser.add_option( "-s", "--force-https", dest="force_https", default=False, action='store_true', help= "Use https only, http is 301 redirected to https (default: False). Requires a proper DNS name" ) (options, args) = parser.parse_args() if postconf.yesno("Do you want to launch post configuration tool ?" ) != postconf.DIALOG_OK: print "canceling wapt postconfiguration" sys.exit(1) # TODO : check if it a new install or an upgrade (upgrade from mongodb to postgresql) if type_redhat(): if re.match('^SELinux status:.*enabled', subprocess.check_output('sestatus')): postconf.msgbox('SELinux detected, tweaking httpd permissions.') run('setsebool -P httpd_can_network_connect 1') run('setsebool -P httpd_setrlimit on') for sepath in ('wapt', 'wapt-host', 'wapt-hostref'): run('semanage fcontext -a -t httpd_sys_content_t "/var/www/html/%s(/.*)?"' % sepath) run('restorecon -R -v /var/www/html/%s' % sepath) postconf.msgbox( 'SELinux correctly configured for Nginx reverse proxy') if not os.path.isfile('/opt/wapt/conf/waptserver.ini'): shutil.copyfile('/opt/wapt/waptserver/waptserver.ini.template', '/opt/wapt/conf/waptserver.ini') else: print('making a backup copy of the configuration file') datetime_now = datetime.datetime.now() shutil.copyfile( '/opt/wapt/conf/waptserver.ini', '/opt/wapt/conf/waptserver.ini.bck_%s' % datetime_now.isoformat()) waptserver_ini = iniparse.RawConfigParser() waptserver_ini.readfp(file('/opt/wapt/conf/waptserver.ini', 'rU')) if waptserver_ini.has_section('uwsgi'): print('Remove uwsgi options, not used anymore') waptserver_ini.remove_section('uwsgi') # add secret key initialisation string (for session token) if not waptserver_ini.has_option('options', 'secret_key'): waptserver_ini.set( 'options', 'secret_key', ''.join( random.SystemRandom().choice(string.letters + string.digits) for _ in range(64))) # add user db and password in ini file ensure_postgresql_db() print("create database schema") run(" sudo -u wapt python /opt/wapt/waptserver/waptserver_model.py init_db " ) mongo_update_status = check_mongo2pgsql_upgrade_needed(waptserver_ini) if mongo_update_status == 0: print("already running postgresql, trying to upgrade structure") run("sudo -u wapt python /opt/wapt/waptserver/waptserver_upgrade.py upgrade_structure" ) elif mongo_update_status == 1: print( "need to upgrade from mongodb to postgres, please launch python /opt/wapt/waptserver/waptserver_upgrade.py upgrade2postgres" ) sys.exit(1) elif mongo_update_status == 2: print("something not normal please check your installation first") sys.exit(1) if os.path.isdir(wapt_folder): waptserver_ini.set('options', 'wapt_folder', wapt_folder) else: # for install on windows # keep in sync with waptserver.py wapt_folder = os.path.join(wapt_root_dir, 'waptserver', 'repository', 'wapt') # if os.path.exists(os.path.join(wapt_root_dir, 'waptserver', 'wsus.py')): # waptserver_ini.set('uwsgi', 'attach-daemon', '/usr/bin/python /opt/wapt/waptserver/wapthuey.py wsus.huey') if not waptserver_ini.has_option('options', 'wapt_password') or \ not waptserver_ini.get('options', 'wapt_password') or \ postconf.yesno("Do you want to reset admin password ?",yes_label='skip',no_label='reset') != postconf.DIALOG_OK: wapt_password_ok = False while not wapt_password_ok: wapt_password = '' wapt_password_check = '' while wapt_password == '': (code, wapt_password) = postconf.passwordbox( "Please enter the wapt server password: "******"Please enter the wapt server password again: ", insecure=True) if code != postconf.DIALOG_OK: exit(0) if wapt_password != wapt_password_check: postconf.msgbox('Password mismatch!') else: wapt_password_ok = True password = pbkdf2_sha256.hash(wapt_password.encode('utf8')) waptserver_ini.set('options', 'wapt_password', password) if not waptserver_ini.has_option('options', 'server_uuid'): waptserver_ini.set('options', 'server_uuid', str(uuid.uuid1())) if options.use_kerberos: waptserver_ini.set('options', 'use_kerberos', 'True') else: waptserver_ini.set('options', 'use_kerberos', 'False') with open('/opt/wapt/conf/waptserver.ini', 'w') as inifile: run("/bin/chmod 640 /opt/wapt/conf/waptserver.ini") run("/bin/chown wapt /opt/wapt/conf/waptserver.ini") waptserver_ini.write(inifile) # TODO : remove mongodb lines that are commented out run('python /opt/wapt/wapt-scanpackages.py %s ' % wapt_folder) final_msg = [ 'Postconfiguration completed.', ] postconf.msgbox("Press ok to start waptserver") enable_waptserver() start_waptserver() # In this new version Apache is replaced with Nginx? Proceed to disable Apache. After migration one can remove Apache install altogether try: print( subprocess.check_output('systemctl stop %s' % APACHE_SVC, shell=True)) except: pass try: print( subprocess.check_output('systemctl disable %s' % APACHE_SVC, shell=True)) except: pass reply = postconf.yesno("Do you want to configure nginx?") if reply == postconf.DIALOG_OK: try: fqdn = socket.getfqdn() if not fqdn: fqdn = 'wapt' if '.' not in fqdn: fqdn += '.lan' msg = 'FQDN for the WAPT server (eg. wapt.acme.com)' (code, reply) = postconf.inputbox(text=msg, width=len(msg) + 4, init=fqdn) if code != postconf.DIALOG_OK: exit(1) else: fqdn = reply dh_filename = '/etc/ssl/certs/dhparam.pem' if not os.path.exists(dh_filename): print( subprocess.check_output('openssl dhparam -out %s 2048' % dh_filename, shell=True)) os.chown(dh_filename, 0, NGINX_GID) os.chmod(dh_filename, 0o640) # cleanup of nginx.conf file with open('/etc/nginx/nginx.conf', 'r') as read_conf: nginx_conf = nginxparser.load(read_conf) nginx_conf = nginx_set_worker_limit(nginx_conf) nginx_conf = nginx_clean_default_vhost(nginx_conf) with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file: nginx_conf_file.write(nginxparser.dumps(nginx_conf)) if options.use_kerberos: if type_debian(): if not check_if_deb_installed( 'libnginx-mod-http-auth-spnego'): print( 'missing dependency libnginx-mod-http-auth-spnego, please install first before configuring kerberos' ) sys.exit(1) elif type_redhat(): import yum yb = yum.YumBase() yb.conf.cache = os.geteuid() != 1 pkgs = yb.rpmdb.returnPackages() found = False for pkg in pkgs: if pkg.name == 'nginx-mod-http-auth-spnego': found = True if found == False: print( 'missing dependency nginx-mod-http-auth-spnego, please install first before configuring kerberos' ) sys.exit(1) make_httpd_config(wapt_folder, '/opt/wapt/waptserver', fqdn, options.use_kerberos, options.force_https) final_msg.append('Please connect to https://' + fqdn + '/ to access the server.') postconf.msgbox( "The Nginx config is done. We need to restart Nginx?") print(subprocess.check_output('systemctl enable nginx', shell=True)) print( subprocess.check_output('systemctl restart nginx', shell=True)) setup_firewall() except subprocess.CalledProcessError as cpe: final_msg += [ 'Error while trying to configure Nginx!', 'errno = ' + str(cpe.returncode) + ', output: ' + cpe.output ] except Exception as e: import traceback final_msg += [ 'Error while trying to configure Nginx!', traceback.format_exc() ] width = 4 + max(10, len(max(final_msg, key=len))) height = 2 + max(20, len(final_msg)) postconf.msgbox('\n'.join(final_msg), height=height, width=width)
found = True print 'pyparsing is installed...' except ImportError: found = False print 'pyparsing is not installed...' print 'Installing now...' owd = os.getcwd() os.system('sudo git clone https://github.com/saikounonou5/pymods.git') os.chdir('/pymods') os.system('sudo rpm -ivh pyparsing-*.rpm') os.chdir(owd) from nginxparser import load,dump,dumps import pyparsing #Configure root and listener in nginx.config j= load(open('/etc/nginx/nginx.conf')) count=0 #Loop down to server config vars for line in j: for l in line: for v in l: for g in v: for t in g: if 'listen' in t: if t[1] != '8000 default_server' and count == 0: t[0]= 'listen' t[1]= '8000 default_server' print 'Listener port set to 8000' count+=1 else:
[['root', persistence]]]) additional[-1][-1].append(location) return additional def add_locations(config, additional): for conf in additional[0][1]: config[1][-1].append(conf) return config if __name__ == "__main__": args = parse_args() config_path = os.path.join(args.root, "nginx.conf") additional_path = os.path.join(args.root, "nginx_additional") if not os.path.isfile(additional_path): with open(additional_path, 'w') as f: f.write('server { }') config = load(open(config_path)) additional = load(open(additional_path)) if args.folder: additional = serve_folder(additional, args.persistent, args.folder) dump(additional, open(additional_path, 'w')) if args.reload: config = add_locations(config, additional) dump(config, open(config_path, 'w'))
def __init__(self, path, options): Config.__init__(self, path, options) with open(path, 'r') as f: self.config = nginxparser.load(f)
def test_parse_from_file(self): parsed = load(open("/etc/nginx/sites-enabled/foo.conf")) self.assertEqual(parsed, [[['server'], [['listen', '80'], ['server_name', 'foo.com'], ['root', '/home/ubuntu/sites/foo/']]]])