def ensureKeystore(certpath, keypath, storepath, password, basedir, log):
"""
Creates or validates a Java keystore from PEM-encoded certificate and key
"""
if not pathutil.check_path_exists(certpath):
msg = "Certificate file does not exist: " + certpath
raise IncompatibleEnvironment(msg)
if not pathutil.check_path_exists(keypath):
msg = "Private key file does not exist: " + keypath
raise IncompatibleEnvironment(msg)
if pathutil.check_path_exists(storepath):
log.debug("Keystore file exists: %s." % storepath,
"Ensuring that it contains right cert/key")
args = [certpath, keypath, storepath, password]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_KEYSTORE_FROM_PEM,
args=args)
if exitcode == 2:
raise KeystoreMismatchError(stderr)
runutil.generic_bailout("Problem creating keystore", exitcode, stdout,
stderr)
def createCA(ca_name, basedir, cadir, log):
if pathutil.check_path_exists(cadir):
raise IncompatibleEnvironment("cannot create a CA at a directory that exists already")
try:
_createCA(ca_name, basedir, cadir, log)
except:
if not WIPE_NEW_CA_DIRECTORY_ON_ERRORS:
raise
# wipe the whole directory
print >>sys.stderr, "Error, wiping the unfinished '%s' directory" % cadir
shutil.rmtree(cadir)
raise
def createCA(ca_name, basedir, cadir, log):
if pathutil.check_path_exists(cadir):
raise IncompatibleEnvironment(
"cannot create a CA at a directory that exists already")
try:
_createCA(ca_name, basedir, cadir, log)
except:
if not WIPE_NEW_CA_DIRECTORY_ON_ERRORS:
raise
# wipe the whole directory
print >> sys.stderr, "Error, wiping the unfinished '%s' directory" % cadir
shutil.rmtree(cadir)
raise
def getCertDN(certpath, basedir, log):
if not pathutil.check_path_exists(certpath):
msg = "Certificate file does not exist: " + certpath
raise IncompatibleEnvironment(msg)
args = [certpath]
(exitcode, stdout, stderr) = javautil.run(basedir, log,
EXE_GET_CERT_DN, args=args)
runutil.generic_bailout("Problem finding cert DN",
exitcode, stdout, stderr)
return stdout.strip()
def getCertDN(certpath, basedir, log):
if not pathutil.check_path_exists(certpath):
msg = "Certificate file does not exist: " + certpath
raise IncompatibleEnvironment(msg)
args = [certpath]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_GET_CERT_DN,
args=args)
runutil.generic_bailout("Problem finding cert DN", exitcode, stdout,
stderr)
return stdout.strip()
def ensureKeystore(certpath, keypath, storepath, password, basedir, log):
"""
Creates or validates a Java keystore from PEM-encoded certificate and key
"""
if not pathutil.check_path_exists(certpath):
msg = "Certificate file does not exist: " + certpath
raise IncompatibleEnvironment(msg)
if not pathutil.check_path_exists(keypath):
msg = "Private key file does not exist: " + keypath
raise IncompatibleEnvironment(msg)
if pathutil.check_path_exists(storepath):
log.debug("Keystore file exists: %s." % storepath,
"Ensuring that it contains right cert/key")
args = [certpath, keypath, storepath, password]
(exitcode, stdout, stderr) = javautil.run(basedir, log,
EXE_KEYSTORE_FROM_PEM, args=args)
if exitcode == 2:
raise KeystoreMismatchError(stderr)
runutil.generic_bailout("Problem creating keystore",
exitcode, stdout, stderr)
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None):
log.debug("Checking SSL")
# If the configurations themselves are missing, we cannot continue.
if not certconf:
raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
if not keyconf:
raise IncompatibleEnvironment("There is no 'ssl.key' configuration")
# If the configurations are relative, they are assumed to be relative from
# the base directory.
if not pathutil.is_absolute_path(certconf):
certconf = pathutil.pathjoin(basedir, certconf)
log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
if not pathutil.is_absolute_path(keyconf):
keyconf = pathutil.pathjoin(basedir, keyconf)
log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)
# If the configured certificate exists, check the key permissions, then
# exit.
missingcert = None
missingkey = None
if not pathutil.check_path_exists(certconf):
missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf
if not pathutil.check_path_exists(keyconf):
missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf
if not missingcert and not missingkey:
log.debug("cert and key confs exist already, checking key perms")
# check key permission
if pathutil.is_path_private(keyconf):
log.debug("key is owner-read only: %s" % keyconf)
else:
print >>sys.stderr, "***"
print >>sys.stderr, "*** WARNING ***"
print >>sys.stderr, "***"
print >>sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf
return
# If only one of the cert/key files exists, we cannot reason about
# what to do: error.
prefix = "Only one of the SSL cert/key file exists, cannot continue. "
if missingcert and not missingkey:
raise IncompatibleEnvironment(prefix + missingcert)
if missingkey and not missingcert:
raise IncompatibleEnvironment(prefix + missingkey)
# The configured certificate and key do not exist; create them.
print "Cannot find configured certificate and key for HTTPS, creating these for you."
# If the internal CA does not exist, create that first.
if not cadir:
cadir = pathutil.pathjoin(basedir, "var/ca")
if not pathutil.check_path_exists(cadir):
print "\nCannot find internal CA, creating this for you.\n"
print "Please pick a unique, one word CA name or hit return to use a UUID.\n"
print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n"
ca_name = raw_input("Enter a name: ")
if not ca_name:
ca_name = pathutil.uuidgen()
print "You did not enter a name, using '%s'" % ca_name
else:
ca_name = ca_name.split()[0]
print "Using '%s'" % ca_name
autoca.createCA(ca_name, basedir, cadir, log)
print "\nCreated internal CA: %s" % cadir
if not hostname:
print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n"
hostname = raw_input("Hostname: ")
if not hostname:
hostname = "localhost"
print "Using '%s'" % hostname
autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log)
print "\nCreated certificate: %s" % certconf
print "Created key: %s\n" % keyconf
def createCert(CN,
basedir,
cadir,
certtarget,
keytarget,
log,
allow_overwrite=False):
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
cacert_path = findCAcert(basedir, cadir, log)
cakey_path = findCAkey(basedir, cadir, log)
# Create temp directory.
uuid = pathutil.uuidgen()
tempdir = pathutil.pathjoin(cadir, uuid)
os.mkdir(tempdir)
pathutil.ensure_dir_exists(tempdir, "temp certs directory")
log.debug("Created %s" % tempdir)
args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_CREATE_NEW_CERT,
args=args)
runutil.generic_bailout("Problem creating certificate.", exitcode, stdout,
stderr)
pub_DN = stdout.strip()
temp_pub_path = pathutil.pathjoin(tempdir, "pub")
pathutil.ensure_file_exists(temp_pub_path, "temp cert")
log.debug("temp cert exists: " + temp_pub_path)
# copy that to user-cert records
args = [temp_pub_path]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_GET_HASHED_CERT_NAME,
args=args)
runutil.generic_bailout("Problem finding hashed cert name.", exitcode,
stdout, stderr)
usercertfilehash = stdout.strip()
log.debug("user cert file hash is '%s'" % usercertfilehash)
cert_records_path = pathutil.pathjoin(cadir, "user-certs")
cert_records_path = pathutil.pathjoin(cert_records_path,
usercertfilehash + ".0")
shutil.copyfile(temp_pub_path, cert_records_path)
pathutil.ensure_file_exists(cert_records_path, "new certificate (record)")
log.debug("cert exists at target: " + cert_records_path)
temp_priv_path = pathutil.pathjoin(tempdir, "priv")
pathutil.ensure_file_exists(temp_priv_path, "temp key")
log.debug("temp key exists: " + temp_priv_path)
log.debug("Created certificate: %s" % pub_DN)
# Those user-supplied targets still don't exist, right? :-)
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
shutil.copyfile(temp_pub_path, certtarget)
pathutil.ensure_file_exists(certtarget, "new certificate")
log.debug("cert exists at target: " + certtarget)
shutil.copyfile(temp_priv_path, keytarget)
pathutil.ensure_file_exists(keytarget, "new key")
log.debug("key exists at target: " + keytarget)
pathutil.make_path_rw_private(keytarget)
pathutil.ensure_path_private(keytarget, "new key")
log.debug("file made private: %s" % keytarget)
shutil.rmtree(tempdir)
return pub_DN
def run(basedir, timezone, accountprompt, log, debug, insecuremode, printurl, expire_hours, cadir):
log.debug("Installing new configurations to django and cherrypy")
if not accountprompt:
accountprompt = "contact the administrator."
if not timezone:
raise IncompatibleEnvironment("There is no 'timezone' configuration")
# --------------------------------------------------------------------------
# The generated_settings.py file is created and replaced at will by this
# newconf system.
# sanity check:
real_settings = pathutil.pathjoin(basedir, "src/python/nimbusweb/portal/settings.py")
pathutil.ensure_file_exists(real_settings, "web settings")
log.debug("file exists: %s" % real_settings)
generated_settings = pathutil.pathjoin(basedir, "src/python/nimbusweb/portal/generated_settings.py")
if pathutil.check_path_exists(generated_settings):
log.debug("Going to overwrite previously written generated_settings.py")
lines = []
# sqlite DB
db_path = pathutil.pathjoin(basedir, "var/nimbus.sqlite")
lines.append("DATABASE_ENGINE = 'sqlite3'")
lines.append("DATABASE_NAME = '%s'" % db_path)
lines.append("TIME_ZONE = '%s'" % timezone)
lines.append("NIMBUS_ACCOUNT_PROMPT = '%s'" % accountprompt)
cadir_path = pathutil.pathjoin(basedir, cadir)
lines.append("NIMBUS_CADIR = '%s'" % cadir_path)
if debug:
lines.append("DEBUG = True")
lines.append("TEMPLATE_DEBUG = True")
else:
lines.append("DEBUG = False")
lines.append("TEMPLATE_DEBUG = False")
if insecuremode:
lines.append("SESSION_COOKIE_SECURE = False")
else:
lines.append("SESSION_COOKIE_SECURE = True")
lines.append("NIMBUS_PRINT_URL = '%s'" % printurl)
lines.append("NIMBUS_TOKEN_EXPIRE_HOURS = %d" % expire_hours)
generated_text = "\n"
for line in lines:
generated_text += line
generated_text += "\n"
log.debug("Going to write this to generated_settings:\n%s" % generated_text)
f = open(generated_settings, "w")
f.write(generated_text)
f.close()
pathutil.ensure_file_exists(generated_settings, "generated web settings")
print "Wrote generated_settings: %s" % generated_settings
# --------------------------------------------------------------------------
generated_secrets = pathutil.pathjoin(basedir, "src/python/nimbusweb/portal/generated_secrets.py")
if not pathutil.check_path_exists(generated_secrets):
# Creating secret each newconf would mean that people's sessions won't
# work after webapp reboot and they would need to login again.
# Instead, it is only written when nonexistent (clean-slate script will
# remove it).
lines = []
okchars = string.letters + string.digits + "!@%^_&*+-"
okchars += okchars
secret = "".join(Random().sample(okchars, 50))
lines.append("SECRET_KEY = '%s'" % secret)
generated_text = "\n"
for line in lines:
generated_text += line
generated_text += "\n"
f = open(generated_secrets, "w")
f.write(generated_text)
f.close()
pathutil.ensure_file_exists(generated_secrets, "generated web secrets")
print "Wrote generated_secrets: %s" % generated_secrets
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None):
log.debug("Checking SSL")
# If the configurations themselves are missing, we cannot continue.
if not certconf:
raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
if not keyconf:
raise IncompatibleEnvironment("There is no 'ssl.key' configuration")
# If the configurations are relative, they are assumed to be relative from
# the base directory.
if not pathutil.is_absolute_path(certconf):
certconf = pathutil.pathjoin(basedir, certconf)
log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
if not pathutil.is_absolute_path(keyconf):
keyconf = pathutil.pathjoin(basedir, keyconf)
log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)
# If the configured certificate exists, check the key permissions, then
# exit.
missingcert = None
missingkey = None
if not pathutil.check_path_exists(certconf):
missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf
if not pathutil.check_path_exists(keyconf):
missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf
if not missingcert and not missingkey:
log.debug("cert and key confs exist already, checking key perms")
# check key permission
if pathutil.is_path_private(keyconf):
log.debug("key is owner-read only: %s" % keyconf)
else:
print >> sys.stderr, "***"
print >> sys.stderr, "*** WARNING ***"
print >> sys.stderr, "***"
print >> sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf
return
# If only one of the cert/key files exists, we cannot reason about
# what to do: error.
prefix = "Only one of the SSL cert/key file exists, cannot continue. "
if missingcert and not missingkey:
raise IncompatibleEnvironment(prefix + missingcert)
if missingkey and not missingcert:
raise IncompatibleEnvironment(prefix + missingkey)
# The configured certificate and key do not exist; create them.
print "Cannot find configured certificate and key for HTTPS, creating these for you."
# If the internal CA does not exist, create that first.
if not cadir:
cadir = pathutil.pathjoin(basedir, "var/ca")
if not pathutil.check_path_exists(cadir):
print "\nCannot find internal CA, creating this for you.\n"
print "Please pick a unique, one word CA name or hit return to use a UUID.\n"
print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n"
ca_name = raw_input("Enter a name: ")
if not ca_name:
ca_name = pathutil.uuidgen()
print "You did not enter a name, using '%s'" % ca_name
else:
ca_name = ca_name.split()[0]
print "Using '%s'" % ca_name
autoca.createCA(ca_name, basedir, cadir, log)
print "\nCreated internal CA: %s" % cadir
if not hostname:
print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n"
hostname = raw_input("Hostname: ")
if not hostname:
hostname = "localhost"
print "Using '%s'" % hostname
autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log)
print "\nCreated certificate: %s" % certconf
print "Created key: %s\n" % keyconf
def run(basedir, timezone, accountprompt, log, debug, insecuremode, printurl,
expire_hours, cadir):
log.debug("Installing new configurations to django and cherrypy")
if not accountprompt:
accountprompt = "contact the administrator."
if not timezone:
raise IncompatibleEnvironment("There is no 'timezone' configuration")
# --------------------------------------------------------------------------
# The generated_settings.py file is created and replaced at will by this
# newconf system.
# sanity check:
real_settings = pathutil.pathjoin(
basedir, "src/python/nimbusweb/portal/settings.py")
pathutil.ensure_file_exists(real_settings, "web settings")
log.debug("file exists: %s" % real_settings)
generated_settings = pathutil.pathjoin(
basedir, "src/python/nimbusweb/portal/generated_settings.py")
if pathutil.check_path_exists(generated_settings):
log.debug(
"Going to overwrite previously written generated_settings.py")
lines = []
# sqlite DB
db_path = pathutil.pathjoin(basedir, "var/nimbus.sqlite")
lines.append("DATABASE_ENGINE = 'sqlite3'")
lines.append("DATABASE_NAME = '%s'" % db_path)
lines.append("TIME_ZONE = '%s'" % timezone)
lines.append("NIMBUS_ACCOUNT_PROMPT = '%s'" % accountprompt)
cadir_path = pathutil.pathjoin(basedir, cadir)
lines.append("NIMBUS_CADIR = '%s'" % cadir_path)
if debug:
lines.append("DEBUG = True")
lines.append("TEMPLATE_DEBUG = True")
else:
lines.append("DEBUG = False")
lines.append("TEMPLATE_DEBUG = False")
if insecuremode:
lines.append("SESSION_COOKIE_SECURE = False")
else:
lines.append("SESSION_COOKIE_SECURE = True")
lines.append("NIMBUS_PRINT_URL = '%s'" % printurl)
lines.append("NIMBUS_TOKEN_EXPIRE_HOURS = %d" % expire_hours)
generated_text = "\n"
for line in lines:
generated_text += line
generated_text += "\n"
log.debug("Going to write this to generated_settings:\n%s" %
generated_text)
f = open(generated_settings, 'w')
f.write(generated_text)
f.close()
pathutil.ensure_file_exists(generated_settings, "generated web settings")
print "Wrote generated_settings: %s" % generated_settings
# --------------------------------------------------------------------------
generated_secrets = pathutil.pathjoin(
basedir, "src/python/nimbusweb/portal/generated_secrets.py")
if not pathutil.check_path_exists(generated_secrets):
# Creating secret each newconf would mean that people's sessions won't
# work after webapp reboot and they would need to login again.
# Instead, it is only written when nonexistent (clean-slate script will
# remove it).
lines = []
okchars = string.letters + string.digits + "!@%^_&*+-"
okchars += okchars
secret = ''.join(Random().sample(okchars, 50))
lines.append("SECRET_KEY = '%s'" % secret)
generated_text = "\n"
for line in lines:
generated_text += line
generated_text += "\n"
f = open(generated_secrets, 'w')
f.write(generated_text)
f.close()
pathutil.ensure_file_exists(generated_secrets, "generated web secrets")
print "Wrote generated_secrets: %s" % generated_secrets
def createCert(CN, basedir, cadir, certtarget, keytarget, log,
allow_overwrite=False):
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
cacert_path = findCAcert(basedir, cadir, log)
cakey_path = findCAkey(basedir, cadir, log)
# Create temp directory.
uuid = pathutil.uuidgen()
tempdir = pathutil.pathjoin(cadir, uuid)
os.mkdir(tempdir)
pathutil.ensure_dir_exists(tempdir, "temp certs directory")
log.debug("Created %s" % tempdir)
args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CERT, args=args)
runutil.generic_bailout("Problem creating certificate.", exitcode, stdout, stderr)
pub_DN = stdout.strip()
temp_pub_path = pathutil.pathjoin(tempdir, "pub")
pathutil.ensure_file_exists(temp_pub_path, "temp cert")
log.debug("temp cert exists: " + temp_pub_path)
# copy that to user-cert records
args = [temp_pub_path]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args)
runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr)
usercertfilehash = stdout.strip()
log.debug("user cert file hash is '%s'" % usercertfilehash)
cert_records_path = pathutil.pathjoin(cadir, "user-certs")
cert_records_path = pathutil.pathjoin(cert_records_path,
usercertfilehash + ".0")
shutil.copyfile(temp_pub_path, cert_records_path)
pathutil.ensure_file_exists(cert_records_path, "new certificate (record)")
log.debug("cert exists at target: " + cert_records_path)
temp_priv_path = pathutil.pathjoin(tempdir, "priv")
pathutil.ensure_file_exists(temp_priv_path, "temp key")
log.debug("temp key exists: " + temp_priv_path)
log.debug("Created certificate: %s" % pub_DN)
# Those user-supplied targets still don't exist, right? :-)
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
shutil.copyfile(temp_pub_path, certtarget)
pathutil.ensure_file_exists(certtarget, "new certificate")
log.debug("cert exists at target: " + certtarget)
shutil.copyfile(temp_priv_path, keytarget)
pathutil.ensure_file_exists(keytarget, "new key")
log.debug("key exists at target: " + keytarget)
pathutil.make_path_rw_private(keytarget)
pathutil.ensure_path_private(keytarget, "new key")
log.debug("file made private: %s" % keytarget)
shutil.rmtree(tempdir)
return pub_DN
