def server():
"""Run server in standalone development mode."""
app = create_app(os.environ['COMMANDMENT_SETTINGS'])
# Werkzeug, in debug mode, will launch the app using the debug file-system
# watching auto-reloader. For threads this means that there would be two
# sets of threads launched. Here we try to guard against that by only
# starting our runner threads when either the reloader (debug) is off, or
# only in the reloader sub-process and not the reloader parent process to
# avoid extraneous threads being created.
# TODO: re-enable runner after python3 rewrite
with app.app_context():
apns = get_apns()
#
#
# if not app.config.get('DEBUG') or werkzeug.serving.is_running_from_reloader():
# start_runner()
# atexit.register(stop_runner)
cert_path = os.path.join(app.root_path, app.config.get('SSL_CERTIFICATE'))
key_path = os.path.join(app.root_path, app.config.get('SSL_RSA_KEY'))
app.logger.debug('Using RSA Private Key From: %s', os.path.abspath(key_path))
app.logger.debug('Using SSL Certificate From: %s', os.path.abspath(cert_path))
# pk, csr = generate_signing_request(app.config['PUBLIC_HOSTNAME'])
# app.logger.debug('Generated signing request for', app.config['PUBLIC_HOSTNAME'])
if not os.path.exists(cert_path) and not os.path.exists(key_path):
app.logger.info('Generating Self Signed Certificate')
pk, cert = generate_self_signed_certificate(app.config['PUBLIC_HOSTNAME'])
pem_key = pk.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
)
with open(key_path, 'wb') as fd:
fd.write(pem_key)
pem_cert = cert.public_bytes(
encoding=serialization.Encoding.PEM
)
with open(cert_path, 'wb') as fd:
fd.write(pem_cert)
# http://werkzeug.pocoo.org/docs/0.11/serving/#werkzeug.serving.run_simple
app.run(
host='0.0.0.0',
port=app.config.get('PORT'),
ssl_context=(cert_path, key_path),
threaded=True)
def mdmcert_request(email: str):
"""Ask the mdmcert.download service to generate a new Certificate Signing Request for the given e-mail address.
If an encryption certificate does not exist on the system, one will be generated to process the resulting encrypted
and signed CSR. The common name of the certificate will be the e-mail address that is registered with the
mdmcert.download service, and the type will be an EncryptionCertificate.
:reqheader Accept: application/json
:resheader Content-Type: application/json
"""
try:
apns_csr_model = db.session.query(CertificateSigningRequest).\
filter(CertificateSigningRequest.x509_cn == "commandment-apns").one()
except NoResultFound:
private_key, csr = cmdssl.generate_signing_request('commandment-apns')
private_key_model = RSAPrivateKey.from_crypto(private_key)
db.session.add(private_key_model)
apns_csr_model = CertificateSigningRequest.from_crypto(csr)
apns_csr_model.rsa_private_key = private_key_model
db.session.add(apns_csr_model)
db.session.commit()
try:
encrypt_cert_model = db.session.query(EncryptionCertificate).\
filter(EncryptionCertificate.x509_cn == email).one()
except NoResultFound:
encrypt_key, encrypt_with_cert = cmdssl.generate_self_signed_certificate(
email)
encrypt_key_model = RSAPrivateKey.from_crypto(encrypt_key)
db.session.add(encrypt_key_model)
encrypt_cert_model = EncryptionCertificate.from_crypto(
encrypt_with_cert)
encrypt_cert_model.rsa_private_key = encrypt_key_model
db.session.add(encrypt_cert_model)
db.session.commit()
current_app.logger.info("Submitting request to mdmcert.download for %s",
email)
mdmcert_result = submit_mdmcert_request(
email=email,
csr_pem=apns_csr_model.pem_data,
encrypt_with_pem=encrypt_cert_model.pem_data,
)
return jsonify(mdmcert_result)