Esempio n. 1
0
def adjust_broker_config(cacert, cakey, keystore, keystore_pass, basedir, gtdir, log):
    brokerconfig = get_brokerconfig_path(gtdir)

    pathutil.ensure_file_exists(cacert, "CA certificate")
    pathutil.ensure_file_exists(cakey, "CA private key")
    pathutil.ensure_file_exists(brokerconfig, "Nimbus Context Broker config")
    pathutil.ensure_file_exists(keystore, "Java keystore")

    # is some BS
    restbroker_xml = pathutil.pathjoin(gtdir, 
            'etc/nimbus-context-broker/other/main.xml')
    pathutil.ensure_file_exists(restbroker_xml, 
            "Context Broker REST interface config")

    args = [brokerconfig, 'NimbusContextBroker', 'ctxBrokerBootstrapFactory',
            'caCertPath', cacert, 'caKeyPath', cakey]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, 
            EXE_SERVICE_RESOURCE, args=args)
    runutil.generic_bailout("Problem adjusting broker config", 
            exitcode, stdout, stderr)
    
    args = [brokerconfig, 'NimbusContextBroker', 'rest',
            'keystoreLocation', keystore, 'keystorePassword', keystore_pass,
            'springConfig', restbroker_xml]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, 
            EXE_SERVICE_RESOURCE, args=args)
    runutil.generic_bailout("Problem adjusting broker config", 
            exitcode, stdout, stderr)
    log.debug("Ensured Context Broker CA config: %s" % brokerconfig)
Esempio n. 2
0
def classpath(basedir):
    opt = "."
    libdir = jarsdir(basedir)
    dirs = os.listdir(libdir)
    for fname in dirs:
        opt += ":" + pathutil.pathjoin(libdir, fname)
    return opt
Esempio n. 3
0
def findCAkey(basedir, cadir, log):
    cacertdir = pathutil.pathjoin(cadir, "ca-certs")
    args = [cacertdir]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_FIND_CA_PRIVPEM, args=args)
    runutil.generic_bailout("Problem finding CA key.", exitcode, stdout, stderr)
    if not stdout:
        raise UnexpectedError("Path is not present for CA key")
    keypath = stdout.strip()
    pathutil.ensure_file_exists(keypath, "CA key")
    return keypath
Esempio n. 4
0
def findCAkey(basedir, cadir, log):
    cacertdir = pathutil.pathjoin(cadir, "ca-certs")
    args = [cacertdir]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_FIND_CA_PRIVPEM,
                                              args=args)
    runutil.generic_bailout("Problem finding CA key.", exitcode, stdout,
                            stderr)
    if not stdout:
        raise UnexpectedError("Path is not present for CA key")
    keypath = stdout.strip()
    pathutil.ensure_file_exists(keypath, "CA key")
    return keypath
Esempio n. 5
0
def adjust_broker_config(cacert, cakey, keystore, keystore_pass, basedir,
                         gtdir, log):
    brokerconfig = get_brokerconfig_path(gtdir)

    pathutil.ensure_file_exists(cacert, "CA certificate")
    pathutil.ensure_file_exists(cakey, "CA private key")
    pathutil.ensure_file_exists(brokerconfig, "Nimbus Context Broker config")
    pathutil.ensure_file_exists(keystore, "Java keystore")

    # is some BS
    restbroker_xml = pathutil.pathjoin(
        gtdir, 'etc/nimbus-context-broker/other/main.xml')
    pathutil.ensure_file_exists(restbroker_xml,
                                "Context Broker REST interface config")

    args = [
        brokerconfig, 'NimbusContextBroker', 'ctxBrokerBootstrapFactory',
        'caCertPath', cacert, 'caKeyPath', cakey
    ]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_SERVICE_RESOURCE,
                                              args=args)
    runutil.generic_bailout("Problem adjusting broker config", exitcode,
                            stdout, stderr)

    args = [
        brokerconfig, 'NimbusContextBroker', 'rest', 'keystoreLocation',
        keystore, 'keystorePassword', keystore_pass, 'springConfig',
        restbroker_xml
    ]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_SERVICE_RESOURCE,
                                              args=args)
    runutil.generic_bailout("Problem adjusting broker config", exitcode,
                            stdout, stderr)
    log.debug("Ensured Context Broker CA config: %s" % brokerconfig)
Esempio n. 6
0
def get_brokerconfig_path(gtdir):
    return pathutil.pathjoin(gtdir, CONF_BROKERCONFIG)
Esempio n. 7
0
def main(argv=None):
    if os.name != 'posix':
        print >> sys.stderr, "Only runs on POSIX systems."
        return 3

    parser = parsersetup()

    if argv:
        (opts, args) = parser.parse_args(argv[1:])
    else:
        (opts, args) = parser.parse_args()

    global log
    log = None

    printdebugoutput = False

    try:

        # 1. Intake args and confs

        validateargs(opts)
        config = getconfig(filepath=opts.configpath)

        # 2. Setup logging

        confdebug = config.get("nimbusweb", "debug")
        if confdebug == "on":
            printdebugoutput = True
        elif opts.debug:
            printdebugoutput = True

        if printdebugoutput:
            configureLogging(logging.DEBUG)
        else:
            configureLogging(logging.INFO)

        # 3. Dump settings

        basedir = opts.basedir
        log.debug("base directory: %s" % basedir)

        insecuremode = opts.insecuremode
        if insecuremode:
            log.debug("**** This is insecure developer mode ****")
        else:
            log.debug("secure mode")

        certconf = config_from_key(config, "ssl.cert")
        keyconf = config_from_key(config, "ssl.key")
        cadir = config_from_key(config, "ca.dir")
        timezone = config_from_key(config, "timezone")
        port = config_from_key(config, "webserver.port")
        host = config_from_key(config, "webserver.host")
        printurl = config_from_key(config, "print.url")
        accountprompt = config_from_key(config, "account.prompt")
        expire_hours = config_from_key(config, "token.expire_hours")
        try:
            expire_hours = int(expire_hours)
        except:
            raise InvalidConfig(
                "invalid token.expire_hours setting, not an integer?")

        # 4. Validate base directory

        if not pathutil.is_absolute_path(basedir):
            raise IncompatibleEnvironment(
                "Base directory setting is not absolute, have you been altering the stanadalone launch code?"
            )

        pathutil.ensure_dir_exists(
            basedir, "base",
            ": have you been altering the stanadalone launch code?")

        # 5. Run one subcommand

        if opts.checkssl:
            checkssl.run(basedir, certconf, keyconf, log)

        if opts.newconf:
            newconf.run(basedir, timezone, accountprompt, log,
                        printdebugoutput, insecuremode, printurl, expire_hours,
                        cadir)

        if opts.printport:
            if not port:
                raise IncompatibleEnvironment(
                    "There is no 'webserver.port' configuration")
            try:
                port = int(port)
            except:
                raise IncompatibleEnvironment(
                    "'webserver.port' configuration is not an integer?")
            print port

        if opts.printhost:
            if not host:
                raise IncompatibleEnvironment(
                    "There is no 'webserver.host' configuration")
            print host

        if opts.printcertpath:
            if not certconf:
                raise IncompatibleEnvironment(
                    "There is no 'ssl.cert' configuration")
            if not pathutil.is_absolute_path(certconf):
                certconf = pathutil.pathjoin(basedir, certconf)
                log.debug("ssl.cert was a relative path, converted to '%s'" %
                          certconf)
            print certconf

        if opts.printkeypath:
            if not keyconf:
                raise IncompatibleEnvironment(
                    "There is no 'ssl.key' configuration")
            if not pathutil.is_absolute_path(keyconf):
                keyconf = pathutil.pathjoin(basedir, keyconf)
                log.debug("ssl.key was a relative path, converted to '%s'" %
                          keyconf)
            print keyconf

        if opts.forcenewssl:
            forcessl.run(basedir, opts.forcecapath, opts.forcecertpath,
                         opts.forcekeypath, opts.forcehostname, log)

    except InvalidInput, e:
        msg = "\nProblem with input: %s" % e.msg
        print >> sys.stderr, msg
        return 1
Esempio n. 8
0
def jarsdir(basedir):
    return pathutil.pathjoin(basedir, "lib/java")
Esempio n. 9
0
def createCert(CN,
               basedir,
               cadir,
               certtarget,
               keytarget,
               log,
               allow_overwrite=False):

    if not allow_overwrite and pathutil.check_path_exists(certtarget):
        msg = "Certificate file present already: " + certtarget
        raise IncompatibleEnvironment(msg)
    if not allow_overwrite and pathutil.check_path_exists(keytarget):
        msg = "Key file present already: " + keytarget
        raise IncompatibleEnvironment(msg)

    cacert_path = findCAcert(basedir, cadir, log)
    cakey_path = findCAkey(basedir, cadir, log)

    # Create temp directory.
    uuid = pathutil.uuidgen()
    tempdir = pathutil.pathjoin(cadir, uuid)
    os.mkdir(tempdir)
    pathutil.ensure_dir_exists(tempdir, "temp certs directory")
    log.debug("Created %s" % tempdir)

    args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_CREATE_NEW_CERT,
                                              args=args)
    runutil.generic_bailout("Problem creating certificate.", exitcode, stdout,
                            stderr)

    pub_DN = stdout.strip()

    temp_pub_path = pathutil.pathjoin(tempdir, "pub")
    pathutil.ensure_file_exists(temp_pub_path, "temp cert")
    log.debug("temp cert exists: " + temp_pub_path)

    # copy that to user-cert records
    args = [temp_pub_path]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_GET_HASHED_CERT_NAME,
                                              args=args)
    runutil.generic_bailout("Problem finding hashed cert name.", exitcode,
                            stdout, stderr)
    usercertfilehash = stdout.strip()
    log.debug("user cert file hash is '%s'" % usercertfilehash)
    cert_records_path = pathutil.pathjoin(cadir, "user-certs")
    cert_records_path = pathutil.pathjoin(cert_records_path,
                                          usercertfilehash + ".0")
    shutil.copyfile(temp_pub_path, cert_records_path)
    pathutil.ensure_file_exists(cert_records_path, "new certificate (record)")
    log.debug("cert exists at target: " + cert_records_path)

    temp_priv_path = pathutil.pathjoin(tempdir, "priv")
    pathutil.ensure_file_exists(temp_priv_path, "temp key")
    log.debug("temp key exists: " + temp_priv_path)

    log.debug("Created certificate: %s" % pub_DN)

    # Those user-supplied targets still don't exist, right? :-)
    if not allow_overwrite and pathutil.check_path_exists(certtarget):
        msg = "Certificate file present already: " + certtarget
        raise IncompatibleEnvironment(msg)
    if not allow_overwrite and pathutil.check_path_exists(keytarget):
        msg = "Key file present already: " + keytarget
        raise IncompatibleEnvironment(msg)

    shutil.copyfile(temp_pub_path, certtarget)
    pathutil.ensure_file_exists(certtarget, "new certificate")
    log.debug("cert exists at target: " + certtarget)

    shutil.copyfile(temp_priv_path, keytarget)
    pathutil.ensure_file_exists(keytarget, "new key")
    log.debug("key exists at target: " + keytarget)

    pathutil.make_path_rw_private(keytarget)
    pathutil.ensure_path_private(keytarget, "new key")
    log.debug("file made private: %s" % keytarget)

    shutil.rmtree(tempdir)

    return pub_DN
Esempio n. 10
0
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None):
    log.debug("Checking SSL")

    # If the configurations themselves are missing, we cannot continue.
    if not certconf:
        raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
    if not keyconf:
        raise IncompatibleEnvironment("There is no 'ssl.key' configuration")

    # If the configurations are relative, they are assumed to be relative from
    # the base directory.
    if not pathutil.is_absolute_path(certconf):
        certconf = pathutil.pathjoin(basedir, certconf)
        log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
    if not pathutil.is_absolute_path(keyconf):
        keyconf = pathutil.pathjoin(basedir, keyconf)
        log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)

    # If the configured certificate exists, check the key permissions, then
    # exit.
    missingcert = None
    missingkey = None
    if not pathutil.check_path_exists(certconf):
        missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf
    if not pathutil.check_path_exists(keyconf):
        missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf

    if not missingcert and not missingkey:
        log.debug("cert and key confs exist already, checking key perms")
        # check key permission
        if pathutil.is_path_private(keyconf):
            log.debug("key is owner-read only: %s" % keyconf)
        else:
            print >> sys.stderr, "***"
            print >> sys.stderr, "*** WARNING ***"
            print >> sys.stderr, "***"
            print >> sys.stderr, "SSL key has bad permissions, should only be readable by the file owner.  ssl.key: '%s'" % keyconf
        return

    # If only one of the cert/key files exists, we cannot reason about
    # what to do: error.
    prefix = "Only one of the SSL cert/key file exists, cannot continue. "
    if missingcert and not missingkey:
        raise IncompatibleEnvironment(prefix + missingcert)
    if missingkey and not missingcert:
        raise IncompatibleEnvironment(prefix + missingkey)

    # The configured certificate and key do not exist; create them.

    print "Cannot find configured certificate and key for HTTPS, creating these for you."

    # If the internal CA does not exist, create that first.
    if not cadir:
        cadir = pathutil.pathjoin(basedir, "var/ca")
    if not pathutil.check_path_exists(cadir):
        print "\nCannot find internal CA, creating this for you.\n"
        print "Please pick a unique, one word CA name or hit return to use a UUID.\n"
        print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n"

        ca_name = raw_input("Enter a name: ")

        if not ca_name:
            ca_name = pathutil.uuidgen()
            print "You did not enter a name, using '%s'" % ca_name
        else:
            ca_name = ca_name.split()[0]
            print "Using '%s'" % ca_name

        autoca.createCA(ca_name, basedir, cadir, log)
        print "\nCreated internal CA: %s" % cadir

    if not hostname:
        print "\nEnter the fully qualified hostname of this machine.  If you don't know or care right now, hit return to use 'localhost'.\n"

        hostname = raw_input("Hostname: ")
        if not hostname:
            hostname = "localhost"
        print "Using '%s'" % hostname

    autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log)
    print "\nCreated certificate: %s" % certconf
    print "Created key: %s\n" % keyconf
Esempio n. 11
0
def get_serverconfig_path(gtdir):
    return pathutil.pathjoin(gtdir, CONF_SERVERCONFIG)
Esempio n. 12
0
def _createCA(ca_name, basedir, cadir, log):

    javautil.check(basedir, log)

    # mkdir $cadir
    # mkdir $cadir/ca-certs
    # mkdir $cadir/trusted-certs
    # mkdir $cadir/user-certs

    os.mkdir(cadir)
    pathutil.ensure_dir_exists(cadir, "New CA directory")
    log.debug("Created %s" % cadir)

    cacertdir = pathutil.pathjoin(cadir, "ca-certs")
    os.mkdir(cacertdir)
    pathutil.ensure_dir_exists(cacertdir, "New CA certs directory")
    log.debug("Created %s" % cacertdir)

    trustedcertdir = pathutil.pathjoin(cadir, "trusted-certs")
    os.mkdir(trustedcertdir)
    pathutil.ensure_dir_exists(trustedcertdir,
                               "New CA trusted certs directory")
    log.debug("Created %s" % trustedcertdir)

    usercertdir = pathutil.pathjoin(cadir, "user-certs")
    os.mkdir(usercertdir)
    pathutil.ensure_dir_exists(usercertdir, "New CA user certs directory")
    log.debug("Created %s" % usercertdir)

    # Create the cert via autocommon

    args = [cacertdir, ca_name]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_CREATE_NEW_CA,
                                              args=args)
    runutil.generic_bailout("Problem creating CA.", exitcode, stdout, stderr)

    # Make the private key owner-readable only

    privkeyname = "private-key-" + ca_name + ".pem"
    cakeyfile = pathutil.pathjoin(cacertdir, privkeyname)
    pathutil.ensure_file_exists(cakeyfile, "New CA key")
    log.debug("file exists: %s" % cakeyfile)
    pathutil.make_path_rw_private(cakeyfile)
    pathutil.ensure_path_private(cakeyfile, "New CA key")
    log.debug("file made private: %s" % cakeyfile)

    # Copy the new certificate file to the "hash.0" version that some toolings
    # will expect.

    cacertfile = pathutil.pathjoin(cacertdir, ca_name + ".pem")
    pathutil.ensure_file_exists(cacertfile, "New CA cert")
    log.debug("file exists: %s" % cacertfile)

    args = [cacertfile]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_GET_HASHED_CERT_NAME,
                                              args=args)
    runutil.generic_bailout("Problem finding hashed cert name.", exitcode,
                            stdout, stderr)
    cacertfilehash = stdout.strip()
    log.debug("cert file hash is '%s'" % cacertfilehash)

    newpath = pathutil.pathjoin(cacertdir, cacertfilehash + ".0")
    shutil.copyfile(cacertfile, newpath)
    pathutil.ensure_file_exists(newpath, "New CA cert (hashed #1)")
    log.debug("file exists: %s" % newpath)

    newpath = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".0")
    shutil.copyfile(cacertfile, newpath)
    pathutil.ensure_file_exists(newpath, "New CA cert (hashed #2)")
    log.debug("file exists: %s" % newpath)

    # Signing policy

    signing1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".signing_policy")
    args = [cacertfile, signing1]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_WRITE_SIGNING_POLICY,
                                              args=args)
    runutil.generic_bailout("Problem creating signing_policy file.", exitcode,
                            stdout, stderr)
    pathutil.ensure_file_exists(signing1, "signing_policy file #1")
    log.debug("file exists: %s" % signing1)

    signing2 = pathutil.pathjoin(trustedcertdir,
                                 cacertfilehash + ".signing_policy")
    shutil.copyfile(signing1, signing2)
    pathutil.ensure_file_exists(signing2, "signing_policy file #2")
    log.debug("file exists: %s" % signing2)

    # CRL

    crl1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".r0")
    args = [crl1, cacertfile, cakeyfile]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_CREATE_CRL,
                                              args=args)
    runutil.generic_bailout("Problem creating revocation file.", exitcode,
                            stdout, stderr)
    pathutil.ensure_file_exists(crl1, "revocation file #1")
    log.debug("file exists: %s" % crl1)

    crl2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".r0")
    shutil.copyfile(crl1, crl2)
    pathutil.ensure_file_exists(crl2, "revocation file #2")
    log.debug("file exists: %s" % crl2)
Esempio n. 13
0
def get_brokerconfig_path(gtdir):
    return pathutil.pathjoin(gtdir, CONF_BROKERCONFIG)
Esempio n. 14
0
def get_secdesc_path(gtdir):
    return pathutil.pathjoin(gtdir, CONF_SECDESC)
Esempio n. 15
0
def run(basedir, timezone, accountprompt, log, debug, insecuremode, printurl, 
        expire_hours, cadir):
    log.debug("Installing new configurations to django and cherrypy")
    
    if not accountprompt:
        accountprompt = "contact the administrator."
    
    if not timezone:
        raise IncompatibleEnvironment("There is no 'timezone' configuration")
        
    # --------------------------------------------------------------------------
    # The generated_settings.py file is created and replaced at will by this
    # newconf system.
    
    # sanity check:
    real_settings = pathutil.pathjoin(basedir, "src/python/nimbusweb/portal/settings.py")
    pathutil.ensure_file_exists(real_settings, "web settings")
    log.debug("file exists: %s" % real_settings)
    
    generated_settings = pathutil.pathjoin(basedir, "src/python/nimbusweb/portal/generated_settings.py")
    if pathutil.check_path_exists(generated_settings):
        log.debug("Going to overwrite previously written generated_settings.py")
    
    lines = []
    
    # sqlite DB
    db_path = pathutil.pathjoin(basedir, "var/nimbus.sqlite")
    lines.append("DATABASE_ENGINE = 'sqlite3'")
    lines.append("DATABASE_NAME = '%s'" % db_path)
    
    lines.append("TIME_ZONE = '%s'" % timezone)
    lines.append("NIMBUS_ACCOUNT_PROMPT = '%s'" % accountprompt)

    cadir_path = pathutil.pathjoin(basedir, cadir)
    lines.append("NIMBUS_CADIR = '%s'" % cadir_path)
    
    if debug:
        lines.append("DEBUG = True")
        lines.append("TEMPLATE_DEBUG = True")
    else:
        lines.append("DEBUG = False")
        lines.append("TEMPLATE_DEBUG = False")
        
    if insecuremode:
        lines.append("SESSION_COOKIE_SECURE = False")
    else:
        lines.append("SESSION_COOKIE_SECURE = True")
        
    lines.append("NIMBUS_PRINT_URL = '%s'" % printurl)
    lines.append("NIMBUS_TOKEN_EXPIRE_HOURS = %d" % expire_hours)

    generated_text = "\n"
    for line in lines:
        generated_text += line
        generated_text += "\n"
        
    log.debug("Going to write this to generated_settings:\n%s" % generated_text)

    f = open(generated_settings, 'w')
    f.write(generated_text)
    f.close()
    pathutil.ensure_file_exists(generated_settings, "generated web settings")
    print "Wrote generated_settings: %s" % generated_settings
    
    # --------------------------------------------------------------------------
    
    generated_secrets = pathutil.pathjoin(basedir, "src/python/nimbusweb/portal/generated_secrets.py")
    if not pathutil.check_path_exists(generated_secrets):
    
        # Creating secret each newconf would mean that people's sessions won't
        # work after webapp reboot and they would need to login again.
        # Instead, it is only written when nonexistent (clean-slate script will
        # remove it).
        lines = []
        okchars = string.letters + string.digits + "!@%^_&*+-"
        okchars += okchars
        secret = ''.join( Random().sample(okchars, 50) )
        lines.append("SECRET_KEY = '%s'" % secret)
        
        generated_text = "\n"
        for line in lines:
            generated_text += line
            generated_text += "\n"
            
        f = open(generated_secrets, 'w')
        f.write(generated_text)
        f.close()
        pathutil.ensure_file_exists(generated_secrets, "generated web secrets")
        print "Wrote generated_secrets: %s" % generated_secrets
Esempio n. 16
0
def main(argv=None):
    if os.name != 'posix':
        print >>sys.stderr, "Only runs on POSIX systems."
        return 3
        
    parser = parsersetup()

    if argv:
        (opts, args) = parser.parse_args(argv[1:])
    else:
        (opts, args) = parser.parse_args()
        
    global log
    log = None
    
    printdebugoutput = False
    
    try:
        
        # 1. Intake args and confs
        
        validateargs(opts)
        config = getconfig(filepath=opts.configpath)
        
        # 2. Setup logging
        
        confdebug = config.get("nimbusweb", "debug")
        if confdebug == "on":
            printdebugoutput = True
        elif opts.debug:
            printdebugoutput = True
            
        if printdebugoutput:
            configureLogging(logging.DEBUG)
        else:
            configureLogging(logging.INFO)
            
        # 3. Dump settings
            
        basedir = opts.basedir
        log.debug("base directory: %s" % basedir)
        
        insecuremode = opts.insecuremode
        if insecuremode:
            log.debug("**** This is insecure developer mode ****")
        else:
            log.debug("secure mode")
        
        certconf = config_from_key(config, "ssl.cert")
        keyconf = config_from_key(config, "ssl.key")
        cadir = config_from_key(config, "ca.dir")
        timezone = config_from_key(config, "timezone")
        port = config_from_key(config, "webserver.port")
        host = config_from_key(config, "webserver.host")
        rest_url = config_from_key(config, "nimbusrest.url")
        rest_key = config_from_key(config, "nimbusrest.key")
        rest_secret = config_from_key(config, "nimbusrest.secret")
        printurl = config_from_key(config, "print.url")
        accountprompt = config_from_key(config, "account.prompt")
        expire_hours = config_from_key(config, "token.expire_hours")
        try:
            expire_hours = int(expire_hours)
        except:
            raise InvalidConfig("invalid token.expire_hours setting, not an integer?")
                
        # 4. Validate base directory
        
        if not pathutil.is_absolute_path(basedir):
            raise IncompatibleEnvironment("Base directory setting is not absolute, have you been altering the stanadalone launch code?")
    
        pathutil.ensure_dir_exists(basedir, "base", ": have you been altering the stanadalone launch code?")
            
        # 5. Run one subcommand
        
        if opts.checkssl:
            checkssl.run(basedir, certconf, keyconf, log)
            
        if opts.newconf:
            newconf.run(basedir, timezone, accountprompt, log, 
                    printdebugoutput, insecuremode, printurl, expire_hours, 
                    cadir, rest_url, rest_key, rest_secret)
        
        if opts.printport:
            if not port:
                raise IncompatibleEnvironment("There is no 'webserver.port' configuration")
            try:
                port = int(port)
            except:
                raise IncompatibleEnvironment("'webserver.port' configuration is not an integer?")
            print port
        
        if opts.printhost:
            if not host:
                raise IncompatibleEnvironment("There is no 'webserver.host' configuration")
            print host

        if opts.printcertpath:
            if not certconf:
                raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
            if not pathutil.is_absolute_path(certconf):
                certconf = pathutil.pathjoin(basedir, certconf)
                log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
            print certconf
            
        if opts.printkeypath:
            if not keyconf:
                raise IncompatibleEnvironment("There is no 'ssl.key' configuration")
            if not pathutil.is_absolute_path(keyconf):
                keyconf = pathutil.pathjoin(basedir, keyconf)
                log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)
            print keyconf

        if opts.forcenewssl:
            forcessl.run(basedir, opts.forcecapath, opts.forcecertpath,
                         opts.forcekeypath, opts.forcehostname, log)

    except InvalidInput, e:
        msg = "\nProblem with input: %s" % e.msg
        print >>sys.stderr, msg
        return 1
Esempio n. 17
0
def get_secdesc_path(gtdir):
    return pathutil.pathjoin(gtdir, CONF_SECDESC)
Esempio n. 18
0
def createCert(CN, basedir, cadir, certtarget, keytarget, log, 
        allow_overwrite=False):
    
    if not allow_overwrite and pathutil.check_path_exists(certtarget):
        msg = "Certificate file present already: " + certtarget
        raise IncompatibleEnvironment(msg)
    if not allow_overwrite and pathutil.check_path_exists(keytarget):
        msg = "Key file present already: " + keytarget
        raise IncompatibleEnvironment(msg)
    
    cacert_path = findCAcert(basedir, cadir, log)
    cakey_path = findCAkey(basedir, cadir, log)
    
    # Create temp directory.
    uuid = pathutil.uuidgen()
    tempdir = pathutil.pathjoin(cadir, uuid)
    os.mkdir(tempdir)
    pathutil.ensure_dir_exists(tempdir, "temp certs directory")
    log.debug("Created %s" % tempdir)
    
    args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CERT, args=args)
    runutil.generic_bailout("Problem creating certificate.", exitcode, stdout, stderr)
    
    pub_DN = stdout.strip()
    
    temp_pub_path = pathutil.pathjoin(tempdir, "pub")
    pathutil.ensure_file_exists(temp_pub_path, "temp cert")
    log.debug("temp cert exists: " + temp_pub_path)
    
    # copy that to user-cert records
    args = [temp_pub_path]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args)
    runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr)
    usercertfilehash = stdout.strip()
    log.debug("user cert file hash is '%s'" % usercertfilehash)
    cert_records_path = pathutil.pathjoin(cadir, "user-certs")
    cert_records_path = pathutil.pathjoin(cert_records_path,
                                          usercertfilehash + ".0")
    shutil.copyfile(temp_pub_path, cert_records_path)
    pathutil.ensure_file_exists(cert_records_path, "new certificate (record)")
    log.debug("cert exists at target: " + cert_records_path)
    
    temp_priv_path = pathutil.pathjoin(tempdir, "priv")
    pathutil.ensure_file_exists(temp_priv_path, "temp key")
    log.debug("temp key exists: " + temp_priv_path)
    
    log.debug("Created certificate: %s" % pub_DN)
    
    # Those user-supplied targets still don't exist, right? :-)
    if not allow_overwrite and pathutil.check_path_exists(certtarget):
        msg = "Certificate file present already: " + certtarget
        raise IncompatibleEnvironment(msg)
    if not allow_overwrite and pathutil.check_path_exists(keytarget):
        msg = "Key file present already: " + keytarget
        raise IncompatibleEnvironment(msg)
    
    shutil.copyfile(temp_pub_path, certtarget)
    pathutil.ensure_file_exists(certtarget, "new certificate")
    log.debug("cert exists at target: " + certtarget)
    
    shutil.copyfile(temp_priv_path, keytarget)
    pathutil.ensure_file_exists(keytarget, "new key")
    log.debug("key exists at target: " + keytarget)
    
    pathutil.make_path_rw_private(keytarget)
    pathutil.ensure_path_private(keytarget, "new key")
    log.debug("file made private: %s" % keytarget)
    
    shutil.rmtree(tempdir)

    return pub_DN
Esempio n. 19
0
def _createCA(ca_name, basedir, cadir, log):
    
    javautil.check(basedir, log)
    
    # mkdir $cadir
    # mkdir $cadir/ca-certs
    # mkdir $cadir/trusted-certs
    # mkdir $cadir/user-certs
    
    os.mkdir(cadir)
    pathutil.ensure_dir_exists(cadir, "New CA directory")
    log.debug("Created %s" % cadir)
    
    cacertdir = pathutil.pathjoin(cadir, "ca-certs")
    os.mkdir(cacertdir)
    pathutil.ensure_dir_exists(cacertdir, "New CA certs directory")
    log.debug("Created %s" % cacertdir)
    
    trustedcertdir = pathutil.pathjoin(cadir, "trusted-certs")
    os.mkdir(trustedcertdir)
    pathutil.ensure_dir_exists(trustedcertdir, "New CA trusted certs directory")
    log.debug("Created %s" % trustedcertdir)
    
    usercertdir = pathutil.pathjoin(cadir, "user-certs")
    os.mkdir(usercertdir)
    pathutil.ensure_dir_exists(usercertdir, "New CA user certs directory")
    log.debug("Created %s" % usercertdir)
    
    # Create the cert via autocommon
    
    args = [cacertdir, ca_name]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CA, args=args)
    runutil.generic_bailout("Problem creating CA.", exitcode, stdout, stderr)
    
    
    # Make the private key owner-readable only
    
    privkeyname = "private-key-" + ca_name + ".pem"
    cakeyfile = pathutil.pathjoin(cacertdir, privkeyname)
    pathutil.ensure_file_exists(cakeyfile, "New CA key")
    log.debug("file exists: %s" % cakeyfile)
    pathutil.make_path_rw_private(cakeyfile)
    pathutil.ensure_path_private(cakeyfile, "New CA key")
    log.debug("file made private: %s" % cakeyfile)
    
    
    # Copy the new certificate file to the "hash.0" version that some toolings
    # will expect.
    
    cacertfile = pathutil.pathjoin(cacertdir, ca_name + ".pem")
    pathutil.ensure_file_exists(cacertfile, "New CA cert")
    log.debug("file exists: %s" % cacertfile)
    
    args = [cacertfile]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args)
    runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr)
    cacertfilehash = stdout.strip()
    log.debug("cert file hash is '%s'" % cacertfilehash)
    
    newpath = pathutil.pathjoin(cacertdir, cacertfilehash + ".0")
    shutil.copyfile(cacertfile, newpath)
    pathutil.ensure_file_exists(newpath, "New CA cert (hashed #1)")
    log.debug("file exists: %s" % newpath)
    
    newpath = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".0")
    shutil.copyfile(cacertfile, newpath)
    pathutil.ensure_file_exists(newpath, "New CA cert (hashed #2)")
    log.debug("file exists: %s" % newpath)
    
    # Signing policy
    
    signing1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".signing_policy")
    args = [cacertfile, signing1]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_WRITE_SIGNING_POLICY, args=args)
    runutil.generic_bailout("Problem creating signing_policy file.", exitcode, stdout, stderr)
    pathutil.ensure_file_exists(signing1, "signing_policy file #1")
    log.debug("file exists: %s" % signing1)
    
    signing2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".signing_policy")
    shutil.copyfile(signing1, signing2)
    pathutil.ensure_file_exists(signing2, "signing_policy file #2")
    log.debug("file exists: %s" % signing2)
        
    # CRL
    
    crl1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".r0")
    args = [crl1, cacertfile, cakeyfile]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_CRL, args=args)
    runutil.generic_bailout("Problem creating revocation file.", exitcode, stdout, stderr)
    pathutil.ensure_file_exists(crl1, "revocation file #1")
    log.debug("file exists: %s" % crl1)
    
    crl2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".r0")
    shutil.copyfile(crl1, crl2)
    pathutil.ensure_file_exists(crl2, "revocation file #2")
    log.debug("file exists: %s" % crl2)
Esempio n. 20
0
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None):
    log.debug("Checking SSL")
    
    # If the configurations themselves are missing, we cannot continue.
    if not certconf:
        raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
    if not keyconf:
        raise IncompatibleEnvironment("There is no 'ssl.key' configuration")
        
    # If the configurations are relative, they are assumed to be relative from
    # the base directory.
    if not pathutil.is_absolute_path(certconf):
        certconf = pathutil.pathjoin(basedir, certconf)
        log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
    if not pathutil.is_absolute_path(keyconf):
        keyconf = pathutil.pathjoin(basedir, keyconf)
        log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)
        
    # If the configured certificate exists, check the key permissions, then
    # exit.
    missingcert = None
    missingkey = None
    if not pathutil.check_path_exists(certconf):
        missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf
    if not pathutil.check_path_exists(keyconf):
        missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf
        
    if not missingcert and not missingkey:
        log.debug("cert and key confs exist already, checking key perms")
        # check key permission
        if pathutil.is_path_private(keyconf):
            log.debug("key is owner-read only: %s" % keyconf)
        else:
            print >>sys.stderr, "***"
            print >>sys.stderr, "*** WARNING ***"
            print >>sys.stderr, "***"
            print >>sys.stderr, "SSL key has bad permissions, should only be readable by the file owner.  ssl.key: '%s'" % keyconf
        return
        
    # If only one of the cert/key files exists, we cannot reason about
    # what to do: error.
    prefix = "Only one of the SSL cert/key file exists, cannot continue. "
    if missingcert and not missingkey:
        raise IncompatibleEnvironment(prefix + missingcert)
    if missingkey and not missingcert:
        raise IncompatibleEnvironment(prefix + missingkey)
        
    
    # The configured certificate and key do not exist; create them.
    
    print "Cannot find configured certificate and key for HTTPS, creating these for you."
    
    # If the internal CA does not exist, create that first.
    if not cadir:
        cadir = pathutil.pathjoin(basedir, "var/ca")
    if not pathutil.check_path_exists(cadir):
        print "\nCannot find internal CA, creating this for you.\n"
        print "Please pick a unique, one word CA name or hit return to use a UUID.\n"
        print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n"
        
        ca_name = raw_input("Enter a name: ")
        
        if not ca_name:
            ca_name = pathutil.uuidgen()
            print "You did not enter a name, using '%s'" % ca_name
        else:
            ca_name = ca_name.split()[0]
            print "Using '%s'" % ca_name
        
        autoca.createCA(ca_name, basedir, cadir, log)
        print "\nCreated internal CA: %s" % cadir
    
    if not hostname:
        print "\nEnter the fully qualified hostname of this machine.  If you don't know or care right now, hit return to use 'localhost'.\n"
        
        hostname = raw_input("Hostname: ")
        if not hostname:
            hostname = "localhost"
        print "Using '%s'" % hostname
    
    autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log)
    print "\nCreated certificate: %s" % certconf
    print "Created key: %s\n" % keyconf
Esempio n. 21
0
def get_serverconfig_path(gtdir):
    return pathutil.pathjoin(gtdir, CONF_SERVERCONFIG)