def adjust_broker_config(cacert, cakey, keystore, keystore_pass, basedir, gtdir, log):
brokerconfig = get_brokerconfig_path(gtdir)
pathutil.ensure_file_exists(cacert, "CA certificate")
pathutil.ensure_file_exists(cakey, "CA private key")
pathutil.ensure_file_exists(brokerconfig, "Nimbus Context Broker config")
pathutil.ensure_file_exists(keystore, "Java keystore")
# is some BS
restbroker_xml = pathutil.pathjoin(gtdir,
'etc/nimbus-context-broker/other/main.xml')
pathutil.ensure_file_exists(restbroker_xml,
"Context Broker REST interface config")
args = [brokerconfig, 'NimbusContextBroker', 'ctxBrokerBootstrapFactory',
'caCertPath', cacert, 'caKeyPath', cakey]
(exitcode, stdout, stderr) = javautil.run(basedir, log,
EXE_SERVICE_RESOURCE, args=args)
runutil.generic_bailout("Problem adjusting broker config",
exitcode, stdout, stderr)
args = [brokerconfig, 'NimbusContextBroker', 'rest',
'keystoreLocation', keystore, 'keystorePassword', keystore_pass,
'springConfig', restbroker_xml]
(exitcode, stdout, stderr) = javautil.run(basedir, log,
EXE_SERVICE_RESOURCE, args=args)
runutil.generic_bailout("Problem adjusting broker config",
exitcode, stdout, stderr)
log.debug("Ensured Context Broker CA config: %s" % brokerconfig)
def classpath(basedir):
opt = "."
libdir = jarsdir(basedir)
dirs = os.listdir(libdir)
for fname in dirs:
opt += ":" + pathutil.pathjoin(libdir, fname)
return opt
def findCAkey(basedir, cadir, log):
cacertdir = pathutil.pathjoin(cadir, "ca-certs")
args = [cacertdir]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_FIND_CA_PRIVPEM, args=args)
runutil.generic_bailout("Problem finding CA key.", exitcode, stdout, stderr)
if not stdout:
raise UnexpectedError("Path is not present for CA key")
keypath = stdout.strip()
pathutil.ensure_file_exists(keypath, "CA key")
return keypath
def findCAkey(basedir, cadir, log):
cacertdir = pathutil.pathjoin(cadir, "ca-certs")
args = [cacertdir]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_FIND_CA_PRIVPEM,
args=args)
runutil.generic_bailout("Problem finding CA key.", exitcode, stdout,
stderr)
if not stdout:
raise UnexpectedError("Path is not present for CA key")
keypath = stdout.strip()
pathutil.ensure_file_exists(keypath, "CA key")
return keypath
def adjust_broker_config(cacert, cakey, keystore, keystore_pass, basedir,
gtdir, log):
brokerconfig = get_brokerconfig_path(gtdir)
pathutil.ensure_file_exists(cacert, "CA certificate")
pathutil.ensure_file_exists(cakey, "CA private key")
pathutil.ensure_file_exists(brokerconfig, "Nimbus Context Broker config")
pathutil.ensure_file_exists(keystore, "Java keystore")
# is some BS
restbroker_xml = pathutil.pathjoin(
gtdir, 'etc/nimbus-context-broker/other/main.xml')
pathutil.ensure_file_exists(restbroker_xml,
"Context Broker REST interface config")
args = [
brokerconfig, 'NimbusContextBroker', 'ctxBrokerBootstrapFactory',
'caCertPath', cacert, 'caKeyPath', cakey
]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_SERVICE_RESOURCE,
args=args)
runutil.generic_bailout("Problem adjusting broker config", exitcode,
stdout, stderr)
args = [
brokerconfig, 'NimbusContextBroker', 'rest', 'keystoreLocation',
keystore, 'keystorePassword', keystore_pass, 'springConfig',
restbroker_xml
]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_SERVICE_RESOURCE,
args=args)
runutil.generic_bailout("Problem adjusting broker config", exitcode,
stdout, stderr)
log.debug("Ensured Context Broker CA config: %s" % brokerconfig)
def get_brokerconfig_path(gtdir):
return pathutil.pathjoin(gtdir, CONF_BROKERCONFIG)
def main(argv=None):
if os.name != 'posix':
print >> sys.stderr, "Only runs on POSIX systems."
return 3
parser = parsersetup()
if argv:
(opts, args) = parser.parse_args(argv[1:])
else:
(opts, args) = parser.parse_args()
global log
log = None
printdebugoutput = False
try:
# 1. Intake args and confs
validateargs(opts)
config = getconfig(filepath=opts.configpath)
# 2. Setup logging
confdebug = config.get("nimbusweb", "debug")
if confdebug == "on":
printdebugoutput = True
elif opts.debug:
printdebugoutput = True
if printdebugoutput:
configureLogging(logging.DEBUG)
else:
configureLogging(logging.INFO)
# 3. Dump settings
basedir = opts.basedir
log.debug("base directory: %s" % basedir)
insecuremode = opts.insecuremode
if insecuremode:
log.debug("**** This is insecure developer mode ****")
else:
log.debug("secure mode")
certconf = config_from_key(config, "ssl.cert")
keyconf = config_from_key(config, "ssl.key")
cadir = config_from_key(config, "ca.dir")
timezone = config_from_key(config, "timezone")
port = config_from_key(config, "webserver.port")
host = config_from_key(config, "webserver.host")
printurl = config_from_key(config, "print.url")
accountprompt = config_from_key(config, "account.prompt")
expire_hours = config_from_key(config, "token.expire_hours")
try:
expire_hours = int(expire_hours)
except:
raise InvalidConfig(
"invalid token.expire_hours setting, not an integer?")
# 4. Validate base directory
if not pathutil.is_absolute_path(basedir):
raise IncompatibleEnvironment(
"Base directory setting is not absolute, have you been altering the stanadalone launch code?"
)
pathutil.ensure_dir_exists(
basedir, "base",
": have you been altering the stanadalone launch code?")
# 5. Run one subcommand
if opts.checkssl:
checkssl.run(basedir, certconf, keyconf, log)
if opts.newconf:
newconf.run(basedir, timezone, accountprompt, log,
printdebugoutput, insecuremode, printurl, expire_hours,
cadir)
if opts.printport:
if not port:
raise IncompatibleEnvironment(
"There is no 'webserver.port' configuration")
try:
port = int(port)
except:
raise IncompatibleEnvironment(
"'webserver.port' configuration is not an integer?")
print port
if opts.printhost:
if not host:
raise IncompatibleEnvironment(
"There is no 'webserver.host' configuration")
print host
if opts.printcertpath:
if not certconf:
raise IncompatibleEnvironment(
"There is no 'ssl.cert' configuration")
if not pathutil.is_absolute_path(certconf):
certconf = pathutil.pathjoin(basedir, certconf)
log.debug("ssl.cert was a relative path, converted to '%s'" %
certconf)
print certconf
if opts.printkeypath:
if not keyconf:
raise IncompatibleEnvironment(
"There is no 'ssl.key' configuration")
if not pathutil.is_absolute_path(keyconf):
keyconf = pathutil.pathjoin(basedir, keyconf)
log.debug("ssl.key was a relative path, converted to '%s'" %
keyconf)
print keyconf
if opts.forcenewssl:
forcessl.run(basedir, opts.forcecapath, opts.forcecertpath,
opts.forcekeypath, opts.forcehostname, log)
except InvalidInput, e:
msg = "\nProblem with input: %s" % e.msg
print >> sys.stderr, msg
return 1
def jarsdir(basedir):
return pathutil.pathjoin(basedir, "lib/java")
def createCert(CN,
basedir,
cadir,
certtarget,
keytarget,
log,
allow_overwrite=False):
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
cacert_path = findCAcert(basedir, cadir, log)
cakey_path = findCAkey(basedir, cadir, log)
# Create temp directory.
uuid = pathutil.uuidgen()
tempdir = pathutil.pathjoin(cadir, uuid)
os.mkdir(tempdir)
pathutil.ensure_dir_exists(tempdir, "temp certs directory")
log.debug("Created %s" % tempdir)
args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_CREATE_NEW_CERT,
args=args)
runutil.generic_bailout("Problem creating certificate.", exitcode, stdout,
stderr)
pub_DN = stdout.strip()
temp_pub_path = pathutil.pathjoin(tempdir, "pub")
pathutil.ensure_file_exists(temp_pub_path, "temp cert")
log.debug("temp cert exists: " + temp_pub_path)
# copy that to user-cert records
args = [temp_pub_path]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_GET_HASHED_CERT_NAME,
args=args)
runutil.generic_bailout("Problem finding hashed cert name.", exitcode,
stdout, stderr)
usercertfilehash = stdout.strip()
log.debug("user cert file hash is '%s'" % usercertfilehash)
cert_records_path = pathutil.pathjoin(cadir, "user-certs")
cert_records_path = pathutil.pathjoin(cert_records_path,
usercertfilehash + ".0")
shutil.copyfile(temp_pub_path, cert_records_path)
pathutil.ensure_file_exists(cert_records_path, "new certificate (record)")
log.debug("cert exists at target: " + cert_records_path)
temp_priv_path = pathutil.pathjoin(tempdir, "priv")
pathutil.ensure_file_exists(temp_priv_path, "temp key")
log.debug("temp key exists: " + temp_priv_path)
log.debug("Created certificate: %s" % pub_DN)
# Those user-supplied targets still don't exist, right? :-)
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
shutil.copyfile(temp_pub_path, certtarget)
pathutil.ensure_file_exists(certtarget, "new certificate")
log.debug("cert exists at target: " + certtarget)
shutil.copyfile(temp_priv_path, keytarget)
pathutil.ensure_file_exists(keytarget, "new key")
log.debug("key exists at target: " + keytarget)
pathutil.make_path_rw_private(keytarget)
pathutil.ensure_path_private(keytarget, "new key")
log.debug("file made private: %s" % keytarget)
shutil.rmtree(tempdir)
return pub_DN
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None):
log.debug("Checking SSL")
# If the configurations themselves are missing, we cannot continue.
if not certconf:
raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
if not keyconf:
raise IncompatibleEnvironment("There is no 'ssl.key' configuration")
# If the configurations are relative, they are assumed to be relative from
# the base directory.
if not pathutil.is_absolute_path(certconf):
certconf = pathutil.pathjoin(basedir, certconf)
log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
if not pathutil.is_absolute_path(keyconf):
keyconf = pathutil.pathjoin(basedir, keyconf)
log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)
# If the configured certificate exists, check the key permissions, then
# exit.
missingcert = None
missingkey = None
if not pathutil.check_path_exists(certconf):
missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf
if not pathutil.check_path_exists(keyconf):
missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf
if not missingcert and not missingkey:
log.debug("cert and key confs exist already, checking key perms")
# check key permission
if pathutil.is_path_private(keyconf):
log.debug("key is owner-read only: %s" % keyconf)
else:
print >> sys.stderr, "***"
print >> sys.stderr, "*** WARNING ***"
print >> sys.stderr, "***"
print >> sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf
return
# If only one of the cert/key files exists, we cannot reason about
# what to do: error.
prefix = "Only one of the SSL cert/key file exists, cannot continue. "
if missingcert and not missingkey:
raise IncompatibleEnvironment(prefix + missingcert)
if missingkey and not missingcert:
raise IncompatibleEnvironment(prefix + missingkey)
# The configured certificate and key do not exist; create them.
print "Cannot find configured certificate and key for HTTPS, creating these for you."
# If the internal CA does not exist, create that first.
if not cadir:
cadir = pathutil.pathjoin(basedir, "var/ca")
if not pathutil.check_path_exists(cadir):
print "\nCannot find internal CA, creating this for you.\n"
print "Please pick a unique, one word CA name or hit return to use a UUID.\n"
print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n"
ca_name = raw_input("Enter a name: ")
if not ca_name:
ca_name = pathutil.uuidgen()
print "You did not enter a name, using '%s'" % ca_name
else:
ca_name = ca_name.split()[0]
print "Using '%s'" % ca_name
autoca.createCA(ca_name, basedir, cadir, log)
print "\nCreated internal CA: %s" % cadir
if not hostname:
print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n"
hostname = raw_input("Hostname: ")
if not hostname:
hostname = "localhost"
print "Using '%s'" % hostname
autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log)
print "\nCreated certificate: %s" % certconf
print "Created key: %s\n" % keyconf
def get_serverconfig_path(gtdir):
return pathutil.pathjoin(gtdir, CONF_SERVERCONFIG)
def _createCA(ca_name, basedir, cadir, log):
javautil.check(basedir, log)
# mkdir $cadir
# mkdir $cadir/ca-certs
# mkdir $cadir/trusted-certs
# mkdir $cadir/user-certs
os.mkdir(cadir)
pathutil.ensure_dir_exists(cadir, "New CA directory")
log.debug("Created %s" % cadir)
cacertdir = pathutil.pathjoin(cadir, "ca-certs")
os.mkdir(cacertdir)
pathutil.ensure_dir_exists(cacertdir, "New CA certs directory")
log.debug("Created %s" % cacertdir)
trustedcertdir = pathutil.pathjoin(cadir, "trusted-certs")
os.mkdir(trustedcertdir)
pathutil.ensure_dir_exists(trustedcertdir,
"New CA trusted certs directory")
log.debug("Created %s" % trustedcertdir)
usercertdir = pathutil.pathjoin(cadir, "user-certs")
os.mkdir(usercertdir)
pathutil.ensure_dir_exists(usercertdir, "New CA user certs directory")
log.debug("Created %s" % usercertdir)
# Create the cert via autocommon
args = [cacertdir, ca_name]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_CREATE_NEW_CA,
args=args)
runutil.generic_bailout("Problem creating CA.", exitcode, stdout, stderr)
# Make the private key owner-readable only
privkeyname = "private-key-" + ca_name + ".pem"
cakeyfile = pathutil.pathjoin(cacertdir, privkeyname)
pathutil.ensure_file_exists(cakeyfile, "New CA key")
log.debug("file exists: %s" % cakeyfile)
pathutil.make_path_rw_private(cakeyfile)
pathutil.ensure_path_private(cakeyfile, "New CA key")
log.debug("file made private: %s" % cakeyfile)
# Copy the new certificate file to the "hash.0" version that some toolings
# will expect.
cacertfile = pathutil.pathjoin(cacertdir, ca_name + ".pem")
pathutil.ensure_file_exists(cacertfile, "New CA cert")
log.debug("file exists: %s" % cacertfile)
args = [cacertfile]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_GET_HASHED_CERT_NAME,
args=args)
runutil.generic_bailout("Problem finding hashed cert name.", exitcode,
stdout, stderr)
cacertfilehash = stdout.strip()
log.debug("cert file hash is '%s'" % cacertfilehash)
newpath = pathutil.pathjoin(cacertdir, cacertfilehash + ".0")
shutil.copyfile(cacertfile, newpath)
pathutil.ensure_file_exists(newpath, "New CA cert (hashed #1)")
log.debug("file exists: %s" % newpath)
newpath = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".0")
shutil.copyfile(cacertfile, newpath)
pathutil.ensure_file_exists(newpath, "New CA cert (hashed #2)")
log.debug("file exists: %s" % newpath)
# Signing policy
signing1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".signing_policy")
args = [cacertfile, signing1]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_WRITE_SIGNING_POLICY,
args=args)
runutil.generic_bailout("Problem creating signing_policy file.", exitcode,
stdout, stderr)
pathutil.ensure_file_exists(signing1, "signing_policy file #1")
log.debug("file exists: %s" % signing1)
signing2 = pathutil.pathjoin(trustedcertdir,
cacertfilehash + ".signing_policy")
shutil.copyfile(signing1, signing2)
pathutil.ensure_file_exists(signing2, "signing_policy file #2")
log.debug("file exists: %s" % signing2)
# CRL
crl1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".r0")
args = [crl1, cacertfile, cakeyfile]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_CREATE_CRL,
args=args)
runutil.generic_bailout("Problem creating revocation file.", exitcode,
stdout, stderr)
pathutil.ensure_file_exists(crl1, "revocation file #1")
log.debug("file exists: %s" % crl1)
crl2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".r0")
shutil.copyfile(crl1, crl2)
pathutil.ensure_file_exists(crl2, "revocation file #2")
log.debug("file exists: %s" % crl2)
def get_brokerconfig_path(gtdir):
return pathutil.pathjoin(gtdir, CONF_BROKERCONFIG)
def get_secdesc_path(gtdir):
return pathutil.pathjoin(gtdir, CONF_SECDESC)
def run(basedir, timezone, accountprompt, log, debug, insecuremode, printurl,
expire_hours, cadir):
log.debug("Installing new configurations to django and cherrypy")
if not accountprompt:
accountprompt = "contact the administrator."
if not timezone:
raise IncompatibleEnvironment("There is no 'timezone' configuration")
# --------------------------------------------------------------------------
# The generated_settings.py file is created and replaced at will by this
# newconf system.
# sanity check:
real_settings = pathutil.pathjoin(basedir, "src/python/nimbusweb/portal/settings.py")
pathutil.ensure_file_exists(real_settings, "web settings")
log.debug("file exists: %s" % real_settings)
generated_settings = pathutil.pathjoin(basedir, "src/python/nimbusweb/portal/generated_settings.py")
if pathutil.check_path_exists(generated_settings):
log.debug("Going to overwrite previously written generated_settings.py")
lines = []
# sqlite DB
db_path = pathutil.pathjoin(basedir, "var/nimbus.sqlite")
lines.append("DATABASE_ENGINE = 'sqlite3'")
lines.append("DATABASE_NAME = '%s'" % db_path)
lines.append("TIME_ZONE = '%s'" % timezone)
lines.append("NIMBUS_ACCOUNT_PROMPT = '%s'" % accountprompt)
cadir_path = pathutil.pathjoin(basedir, cadir)
lines.append("NIMBUS_CADIR = '%s'" % cadir_path)
if debug:
lines.append("DEBUG = True")
lines.append("TEMPLATE_DEBUG = True")
else:
lines.append("DEBUG = False")
lines.append("TEMPLATE_DEBUG = False")
if insecuremode:
lines.append("SESSION_COOKIE_SECURE = False")
else:
lines.append("SESSION_COOKIE_SECURE = True")
lines.append("NIMBUS_PRINT_URL = '%s'" % printurl)
lines.append("NIMBUS_TOKEN_EXPIRE_HOURS = %d" % expire_hours)
generated_text = "\n"
for line in lines:
generated_text += line
generated_text += "\n"
log.debug("Going to write this to generated_settings:\n%s" % generated_text)
f = open(generated_settings, 'w')
f.write(generated_text)
f.close()
pathutil.ensure_file_exists(generated_settings, "generated web settings")
print "Wrote generated_settings: %s" % generated_settings
# --------------------------------------------------------------------------
generated_secrets = pathutil.pathjoin(basedir, "src/python/nimbusweb/portal/generated_secrets.py")
if not pathutil.check_path_exists(generated_secrets):
# Creating secret each newconf would mean that people's sessions won't
# work after webapp reboot and they would need to login again.
# Instead, it is only written when nonexistent (clean-slate script will
# remove it).
lines = []
okchars = string.letters + string.digits + "!@%^_&*+-"
okchars += okchars
secret = ''.join( Random().sample(okchars, 50) )
lines.append("SECRET_KEY = '%s'" % secret)
generated_text = "\n"
for line in lines:
generated_text += line
generated_text += "\n"
f = open(generated_secrets, 'w')
f.write(generated_text)
f.close()
pathutil.ensure_file_exists(generated_secrets, "generated web secrets")
print "Wrote generated_secrets: %s" % generated_secrets
def main(argv=None):
if os.name != 'posix':
print >>sys.stderr, "Only runs on POSIX systems."
return 3
parser = parsersetup()
if argv:
(opts, args) = parser.parse_args(argv[1:])
else:
(opts, args) = parser.parse_args()
global log
log = None
printdebugoutput = False
try:
# 1. Intake args and confs
validateargs(opts)
config = getconfig(filepath=opts.configpath)
# 2. Setup logging
confdebug = config.get("nimbusweb", "debug")
if confdebug == "on":
printdebugoutput = True
elif opts.debug:
printdebugoutput = True
if printdebugoutput:
configureLogging(logging.DEBUG)
else:
configureLogging(logging.INFO)
# 3. Dump settings
basedir = opts.basedir
log.debug("base directory: %s" % basedir)
insecuremode = opts.insecuremode
if insecuremode:
log.debug("**** This is insecure developer mode ****")
else:
log.debug("secure mode")
certconf = config_from_key(config, "ssl.cert")
keyconf = config_from_key(config, "ssl.key")
cadir = config_from_key(config, "ca.dir")
timezone = config_from_key(config, "timezone")
port = config_from_key(config, "webserver.port")
host = config_from_key(config, "webserver.host")
rest_url = config_from_key(config, "nimbusrest.url")
rest_key = config_from_key(config, "nimbusrest.key")
rest_secret = config_from_key(config, "nimbusrest.secret")
printurl = config_from_key(config, "print.url")
accountprompt = config_from_key(config, "account.prompt")
expire_hours = config_from_key(config, "token.expire_hours")
try:
expire_hours = int(expire_hours)
except:
raise InvalidConfig("invalid token.expire_hours setting, not an integer?")
# 4. Validate base directory
if not pathutil.is_absolute_path(basedir):
raise IncompatibleEnvironment("Base directory setting is not absolute, have you been altering the stanadalone launch code?")
pathutil.ensure_dir_exists(basedir, "base", ": have you been altering the stanadalone launch code?")
# 5. Run one subcommand
if opts.checkssl:
checkssl.run(basedir, certconf, keyconf, log)
if opts.newconf:
newconf.run(basedir, timezone, accountprompt, log,
printdebugoutput, insecuremode, printurl, expire_hours,
cadir, rest_url, rest_key, rest_secret)
if opts.printport:
if not port:
raise IncompatibleEnvironment("There is no 'webserver.port' configuration")
try:
port = int(port)
except:
raise IncompatibleEnvironment("'webserver.port' configuration is not an integer?")
print port
if opts.printhost:
if not host:
raise IncompatibleEnvironment("There is no 'webserver.host' configuration")
print host
if opts.printcertpath:
if not certconf:
raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
if not pathutil.is_absolute_path(certconf):
certconf = pathutil.pathjoin(basedir, certconf)
log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
print certconf
if opts.printkeypath:
if not keyconf:
raise IncompatibleEnvironment("There is no 'ssl.key' configuration")
if not pathutil.is_absolute_path(keyconf):
keyconf = pathutil.pathjoin(basedir, keyconf)
log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)
print keyconf
if opts.forcenewssl:
forcessl.run(basedir, opts.forcecapath, opts.forcecertpath,
opts.forcekeypath, opts.forcehostname, log)
except InvalidInput, e:
msg = "\nProblem with input: %s" % e.msg
print >>sys.stderr, msg
return 1
def get_secdesc_path(gtdir):
return pathutil.pathjoin(gtdir, CONF_SECDESC)
def createCert(CN, basedir, cadir, certtarget, keytarget, log,
allow_overwrite=False):
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
cacert_path = findCAcert(basedir, cadir, log)
cakey_path = findCAkey(basedir, cadir, log)
# Create temp directory.
uuid = pathutil.uuidgen()
tempdir = pathutil.pathjoin(cadir, uuid)
os.mkdir(tempdir)
pathutil.ensure_dir_exists(tempdir, "temp certs directory")
log.debug("Created %s" % tempdir)
args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CERT, args=args)
runutil.generic_bailout("Problem creating certificate.", exitcode, stdout, stderr)
pub_DN = stdout.strip()
temp_pub_path = pathutil.pathjoin(tempdir, "pub")
pathutil.ensure_file_exists(temp_pub_path, "temp cert")
log.debug("temp cert exists: " + temp_pub_path)
# copy that to user-cert records
args = [temp_pub_path]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args)
runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr)
usercertfilehash = stdout.strip()
log.debug("user cert file hash is '%s'" % usercertfilehash)
cert_records_path = pathutil.pathjoin(cadir, "user-certs")
cert_records_path = pathutil.pathjoin(cert_records_path,
usercertfilehash + ".0")
shutil.copyfile(temp_pub_path, cert_records_path)
pathutil.ensure_file_exists(cert_records_path, "new certificate (record)")
log.debug("cert exists at target: " + cert_records_path)
temp_priv_path = pathutil.pathjoin(tempdir, "priv")
pathutil.ensure_file_exists(temp_priv_path, "temp key")
log.debug("temp key exists: " + temp_priv_path)
log.debug("Created certificate: %s" % pub_DN)
# Those user-supplied targets still don't exist, right? :-)
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
shutil.copyfile(temp_pub_path, certtarget)
pathutil.ensure_file_exists(certtarget, "new certificate")
log.debug("cert exists at target: " + certtarget)
shutil.copyfile(temp_priv_path, keytarget)
pathutil.ensure_file_exists(keytarget, "new key")
log.debug("key exists at target: " + keytarget)
pathutil.make_path_rw_private(keytarget)
pathutil.ensure_path_private(keytarget, "new key")
log.debug("file made private: %s" % keytarget)
shutil.rmtree(tempdir)
return pub_DN
def _createCA(ca_name, basedir, cadir, log):
javautil.check(basedir, log)
# mkdir $cadir
# mkdir $cadir/ca-certs
# mkdir $cadir/trusted-certs
# mkdir $cadir/user-certs
os.mkdir(cadir)
pathutil.ensure_dir_exists(cadir, "New CA directory")
log.debug("Created %s" % cadir)
cacertdir = pathutil.pathjoin(cadir, "ca-certs")
os.mkdir(cacertdir)
pathutil.ensure_dir_exists(cacertdir, "New CA certs directory")
log.debug("Created %s" % cacertdir)
trustedcertdir = pathutil.pathjoin(cadir, "trusted-certs")
os.mkdir(trustedcertdir)
pathutil.ensure_dir_exists(trustedcertdir, "New CA trusted certs directory")
log.debug("Created %s" % trustedcertdir)
usercertdir = pathutil.pathjoin(cadir, "user-certs")
os.mkdir(usercertdir)
pathutil.ensure_dir_exists(usercertdir, "New CA user certs directory")
log.debug("Created %s" % usercertdir)
# Create the cert via autocommon
args = [cacertdir, ca_name]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CA, args=args)
runutil.generic_bailout("Problem creating CA.", exitcode, stdout, stderr)
# Make the private key owner-readable only
privkeyname = "private-key-" + ca_name + ".pem"
cakeyfile = pathutil.pathjoin(cacertdir, privkeyname)
pathutil.ensure_file_exists(cakeyfile, "New CA key")
log.debug("file exists: %s" % cakeyfile)
pathutil.make_path_rw_private(cakeyfile)
pathutil.ensure_path_private(cakeyfile, "New CA key")
log.debug("file made private: %s" % cakeyfile)
# Copy the new certificate file to the "hash.0" version that some toolings
# will expect.
cacertfile = pathutil.pathjoin(cacertdir, ca_name + ".pem")
pathutil.ensure_file_exists(cacertfile, "New CA cert")
log.debug("file exists: %s" % cacertfile)
args = [cacertfile]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args)
runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr)
cacertfilehash = stdout.strip()
log.debug("cert file hash is '%s'" % cacertfilehash)
newpath = pathutil.pathjoin(cacertdir, cacertfilehash + ".0")
shutil.copyfile(cacertfile, newpath)
pathutil.ensure_file_exists(newpath, "New CA cert (hashed #1)")
log.debug("file exists: %s" % newpath)
newpath = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".0")
shutil.copyfile(cacertfile, newpath)
pathutil.ensure_file_exists(newpath, "New CA cert (hashed #2)")
log.debug("file exists: %s" % newpath)
# Signing policy
signing1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".signing_policy")
args = [cacertfile, signing1]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_WRITE_SIGNING_POLICY, args=args)
runutil.generic_bailout("Problem creating signing_policy file.", exitcode, stdout, stderr)
pathutil.ensure_file_exists(signing1, "signing_policy file #1")
log.debug("file exists: %s" % signing1)
signing2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".signing_policy")
shutil.copyfile(signing1, signing2)
pathutil.ensure_file_exists(signing2, "signing_policy file #2")
log.debug("file exists: %s" % signing2)
# CRL
crl1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".r0")
args = [crl1, cacertfile, cakeyfile]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_CRL, args=args)
runutil.generic_bailout("Problem creating revocation file.", exitcode, stdout, stderr)
pathutil.ensure_file_exists(crl1, "revocation file #1")
log.debug("file exists: %s" % crl1)
crl2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".r0")
shutil.copyfile(crl1, crl2)
pathutil.ensure_file_exists(crl2, "revocation file #2")
log.debug("file exists: %s" % crl2)
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None):
log.debug("Checking SSL")
# If the configurations themselves are missing, we cannot continue.
if not certconf:
raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
if not keyconf:
raise IncompatibleEnvironment("There is no 'ssl.key' configuration")
# If the configurations are relative, they are assumed to be relative from
# the base directory.
if not pathutil.is_absolute_path(certconf):
certconf = pathutil.pathjoin(basedir, certconf)
log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
if not pathutil.is_absolute_path(keyconf):
keyconf = pathutil.pathjoin(basedir, keyconf)
log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)
# If the configured certificate exists, check the key permissions, then
# exit.
missingcert = None
missingkey = None
if not pathutil.check_path_exists(certconf):
missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf
if not pathutil.check_path_exists(keyconf):
missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf
if not missingcert and not missingkey:
log.debug("cert and key confs exist already, checking key perms")
# check key permission
if pathutil.is_path_private(keyconf):
log.debug("key is owner-read only: %s" % keyconf)
else:
print >>sys.stderr, "***"
print >>sys.stderr, "*** WARNING ***"
print >>sys.stderr, "***"
print >>sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf
return
# If only one of the cert/key files exists, we cannot reason about
# what to do: error.
prefix = "Only one of the SSL cert/key file exists, cannot continue. "
if missingcert and not missingkey:
raise IncompatibleEnvironment(prefix + missingcert)
if missingkey and not missingcert:
raise IncompatibleEnvironment(prefix + missingkey)
# The configured certificate and key do not exist; create them.
print "Cannot find configured certificate and key for HTTPS, creating these for you."
# If the internal CA does not exist, create that first.
if not cadir:
cadir = pathutil.pathjoin(basedir, "var/ca")
if not pathutil.check_path_exists(cadir):
print "\nCannot find internal CA, creating this for you.\n"
print "Please pick a unique, one word CA name or hit return to use a UUID.\n"
print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n"
ca_name = raw_input("Enter a name: ")
if not ca_name:
ca_name = pathutil.uuidgen()
print "You did not enter a name, using '%s'" % ca_name
else:
ca_name = ca_name.split()[0]
print "Using '%s'" % ca_name
autoca.createCA(ca_name, basedir, cadir, log)
print "\nCreated internal CA: %s" % cadir
if not hostname:
print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n"
hostname = raw_input("Hostname: ")
if not hostname:
hostname = "localhost"
print "Using '%s'" % hostname
autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log)
print "\nCreated certificate: %s" % certconf
print "Created key: %s\n" % keyconf
def get_serverconfig_path(gtdir):
return pathutil.pathjoin(gtdir, CONF_SERVERCONFIG)