def run(basedir, cadir, certconf, keyconf, hostnameconf, log): log.debug("Forcing a CA/hostcert install") # Reject relative paths if not pathutil.is_absolute_path(cadir): raise IncompatibleEnvironment("CA directory path is not absolute") if not pathutil.is_absolute_path(certconf): raise IncompatibleEnvironment("certificate path is not absolute") if not pathutil.is_absolute_path(keyconf): raise IncompatibleEnvironment("key path is not absolute") # The CA dir must not exist, create that first. autoca.createCA(pathutil.uuidgen(), basedir, cadir, log) print "Created auto CA: %s" % cadir # The configured certificate and key must not exist; create them. autoca.createCert(hostnameconf, basedir, cadir, certconf, keyconf, log) print "\nCreated hostcert: %s" % certconf print "Created hostkey: %s\n" % keyconf
def adjust_gridmap_file(gridmap, basedir, gtdir, log): if not pathutil.is_absolute_path(gridmap): raise IncompatibleEnvironment("gridmap path must be absolute") pathutil.ensure_file_exists(gridmap, "gridmap") secdesc = get_secdesc_path(gtdir) pathutil.ensure_file_exists(secdesc, "container security settings") args = [gridmap, secdesc] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_NEW_GRIDMAPFILE, args=args) runutil.generic_bailout("Problem setting new gridmap file location", exitcode, stdout, stderr) log.debug("Adjusted GT container gridmap file to %s" % gridmap)
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None): log.debug("Checking SSL") # If the configurations themselves are missing, we cannot continue. if not certconf: raise IncompatibleEnvironment("There is no 'ssl.cert' configuration") if not keyconf: raise IncompatibleEnvironment("There is no 'ssl.key' configuration") # If the configurations are relative, they are assumed to be relative from # the base directory. if not pathutil.is_absolute_path(certconf): certconf = pathutil.pathjoin(basedir, certconf) log.debug("ssl.cert was a relative path, converted to '%s'" % certconf) if not pathutil.is_absolute_path(keyconf): keyconf = pathutil.pathjoin(basedir, keyconf) log.debug("ssl.key was a relative path, converted to '%s'" % keyconf) # If the configured certificate exists, check the key permissions, then # exit. missingcert = None missingkey = None if not pathutil.check_path_exists(certconf): missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf if not pathutil.check_path_exists(keyconf): missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf if not missingcert and not missingkey: log.debug("cert and key confs exist already, checking key perms") # check key permission if pathutil.is_path_private(keyconf): log.debug("key is owner-read only: %s" % keyconf) else: print >>sys.stderr, "***" print >>sys.stderr, "*** WARNING ***" print >>sys.stderr, "***" print >>sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf return # If only one of the cert/key files exists, we cannot reason about # what to do: error. prefix = "Only one of the SSL cert/key file exists, cannot continue. " if missingcert and not missingkey: raise IncompatibleEnvironment(prefix + missingcert) if missingkey and not missingcert: raise IncompatibleEnvironment(prefix + missingkey) # The configured certificate and key do not exist; create them. print "Cannot find configured certificate and key for HTTPS, creating these for you." # If the internal CA does not exist, create that first. if not cadir: cadir = pathutil.pathjoin(basedir, "var/ca") if not pathutil.check_path_exists(cadir): print "\nCannot find internal CA, creating this for you.\n" print "Please pick a unique, one word CA name or hit return to use a UUID.\n" print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n" ca_name = raw_input("Enter a name: ") if not ca_name: ca_name = pathutil.uuidgen() print "You did not enter a name, using '%s'" % ca_name else: ca_name = ca_name.split()[0] print "Using '%s'" % ca_name autoca.createCA(ca_name, basedir, cadir, log) print "\nCreated internal CA: %s" % cadir if not hostname: print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n" hostname = raw_input("Hostname: ") if not hostname: hostname = "localhost" print "Using '%s'" % hostname autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log) print "\nCreated certificate: %s" % certconf print "Created key: %s\n" % keyconf
def main(argv=None): if os.name != 'posix': print >> sys.stderr, "Only runs on POSIX systems." return 3 parser = parsersetup() if argv: (opts, args) = parser.parse_args(argv[1:]) else: (opts, args) = parser.parse_args() global log log = None printdebugoutput = False try: # 1. Intake args and confs validateargs(opts) config = getconfig(filepath=opts.configpath) # 2. Setup logging confdebug = config.get("nimbusweb", "debug") if confdebug == "on": printdebugoutput = True elif opts.debug: printdebugoutput = True if printdebugoutput: configureLogging(logging.DEBUG) else: configureLogging(logging.INFO) # 3. Dump settings basedir = opts.basedir log.debug("base directory: %s" % basedir) insecuremode = opts.insecuremode if insecuremode: log.debug("**** This is insecure developer mode ****") else: log.debug("secure mode") certconf = config_from_key(config, "ssl.cert") keyconf = config_from_key(config, "ssl.key") cadir = config_from_key(config, "ca.dir") timezone = config_from_key(config, "timezone") port = config_from_key(config, "webserver.port") host = config_from_key(config, "webserver.host") printurl = config_from_key(config, "print.url") accountprompt = config_from_key(config, "account.prompt") expire_hours = config_from_key(config, "token.expire_hours") try: expire_hours = int(expire_hours) except: raise InvalidConfig( "invalid token.expire_hours setting, not an integer?") # 4. Validate base directory if not pathutil.is_absolute_path(basedir): raise IncompatibleEnvironment( "Base directory setting is not absolute, have you been altering the stanadalone launch code?" ) pathutil.ensure_dir_exists( basedir, "base", ": have you been altering the stanadalone launch code?") # 5. Run one subcommand if opts.checkssl: checkssl.run(basedir, certconf, keyconf, log) if opts.newconf: newconf.run(basedir, timezone, accountprompt, log, printdebugoutput, insecuremode, printurl, expire_hours, cadir) if opts.printport: if not port: raise IncompatibleEnvironment( "There is no 'webserver.port' configuration") try: port = int(port) except: raise IncompatibleEnvironment( "'webserver.port' configuration is not an integer?") print port if opts.printhost: if not host: raise IncompatibleEnvironment( "There is no 'webserver.host' configuration") print host if opts.printcertpath: if not certconf: raise IncompatibleEnvironment( "There is no 'ssl.cert' configuration") if not pathutil.is_absolute_path(certconf): certconf = pathutil.pathjoin(basedir, certconf) log.debug("ssl.cert was a relative path, converted to '%s'" % certconf) print certconf if opts.printkeypath: if not keyconf: raise IncompatibleEnvironment( "There is no 'ssl.key' configuration") if not pathutil.is_absolute_path(keyconf): keyconf = pathutil.pathjoin(basedir, keyconf) log.debug("ssl.key was a relative path, converted to '%s'" % keyconf) print keyconf if opts.forcenewssl: forcessl.run(basedir, opts.forcecapath, opts.forcecertpath, opts.forcekeypath, opts.forcehostname, log) except InvalidInput, e: msg = "\nProblem with input: %s" % e.msg print >> sys.stderr, msg return 1
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None): log.debug("Checking SSL") # If the configurations themselves are missing, we cannot continue. if not certconf: raise IncompatibleEnvironment("There is no 'ssl.cert' configuration") if not keyconf: raise IncompatibleEnvironment("There is no 'ssl.key' configuration") # If the configurations are relative, they are assumed to be relative from # the base directory. if not pathutil.is_absolute_path(certconf): certconf = pathutil.pathjoin(basedir, certconf) log.debug("ssl.cert was a relative path, converted to '%s'" % certconf) if not pathutil.is_absolute_path(keyconf): keyconf = pathutil.pathjoin(basedir, keyconf) log.debug("ssl.key was a relative path, converted to '%s'" % keyconf) # If the configured certificate exists, check the key permissions, then # exit. missingcert = None missingkey = None if not pathutil.check_path_exists(certconf): missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf if not pathutil.check_path_exists(keyconf): missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf if not missingcert and not missingkey: log.debug("cert and key confs exist already, checking key perms") # check key permission if pathutil.is_path_private(keyconf): log.debug("key is owner-read only: %s" % keyconf) else: print >> sys.stderr, "***" print >> sys.stderr, "*** WARNING ***" print >> sys.stderr, "***" print >> sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf return # If only one of the cert/key files exists, we cannot reason about # what to do: error. prefix = "Only one of the SSL cert/key file exists, cannot continue. " if missingcert and not missingkey: raise IncompatibleEnvironment(prefix + missingcert) if missingkey and not missingcert: raise IncompatibleEnvironment(prefix + missingkey) # The configured certificate and key do not exist; create them. print "Cannot find configured certificate and key for HTTPS, creating these for you." # If the internal CA does not exist, create that first. if not cadir: cadir = pathutil.pathjoin(basedir, "var/ca") if not pathutil.check_path_exists(cadir): print "\nCannot find internal CA, creating this for you.\n" print "Please pick a unique, one word CA name or hit return to use a UUID.\n" print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n" ca_name = raw_input("Enter a name: ") if not ca_name: ca_name = pathutil.uuidgen() print "You did not enter a name, using '%s'" % ca_name else: ca_name = ca_name.split()[0] print "Using '%s'" % ca_name autoca.createCA(ca_name, basedir, cadir, log) print "\nCreated internal CA: %s" % cadir if not hostname: print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n" hostname = raw_input("Hostname: ") if not hostname: hostname = "localhost" print "Using '%s'" % hostname autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log) print "\nCreated certificate: %s" % certconf print "Created key: %s\n" % keyconf
def main(argv=None): if os.name != 'posix': print >>sys.stderr, "Only runs on POSIX systems." return 3 parser = parsersetup() if argv: (opts, args) = parser.parse_args(argv[1:]) else: (opts, args) = parser.parse_args() global log log = None printdebugoutput = False try: # 1. Intake args and confs validateargs(opts) config = getconfig(filepath=opts.configpath) # 2. Setup logging confdebug = config.get("nimbusweb", "debug") if confdebug == "on": printdebugoutput = True elif opts.debug: printdebugoutput = True if printdebugoutput: configureLogging(logging.DEBUG) else: configureLogging(logging.INFO) # 3. Dump settings basedir = opts.basedir log.debug("base directory: %s" % basedir) insecuremode = opts.insecuremode if insecuremode: log.debug("**** This is insecure developer mode ****") else: log.debug("secure mode") certconf = config_from_key(config, "ssl.cert") keyconf = config_from_key(config, "ssl.key") cadir = config_from_key(config, "ca.dir") timezone = config_from_key(config, "timezone") port = config_from_key(config, "webserver.port") host = config_from_key(config, "webserver.host") rest_url = config_from_key(config, "nimbusrest.url") rest_key = config_from_key(config, "nimbusrest.key") rest_secret = config_from_key(config, "nimbusrest.secret") printurl = config_from_key(config, "print.url") accountprompt = config_from_key(config, "account.prompt") expire_hours = config_from_key(config, "token.expire_hours") try: expire_hours = int(expire_hours) except: raise InvalidConfig("invalid token.expire_hours setting, not an integer?") # 4. Validate base directory if not pathutil.is_absolute_path(basedir): raise IncompatibleEnvironment("Base directory setting is not absolute, have you been altering the stanadalone launch code?") pathutil.ensure_dir_exists(basedir, "base", ": have you been altering the stanadalone launch code?") # 5. Run one subcommand if opts.checkssl: checkssl.run(basedir, certconf, keyconf, log) if opts.newconf: newconf.run(basedir, timezone, accountprompt, log, printdebugoutput, insecuremode, printurl, expire_hours, cadir, rest_url, rest_key, rest_secret) if opts.printport: if not port: raise IncompatibleEnvironment("There is no 'webserver.port' configuration") try: port = int(port) except: raise IncompatibleEnvironment("'webserver.port' configuration is not an integer?") print port if opts.printhost: if not host: raise IncompatibleEnvironment("There is no 'webserver.host' configuration") print host if opts.printcertpath: if not certconf: raise IncompatibleEnvironment("There is no 'ssl.cert' configuration") if not pathutil.is_absolute_path(certconf): certconf = pathutil.pathjoin(basedir, certconf) log.debug("ssl.cert was a relative path, converted to '%s'" % certconf) print certconf if opts.printkeypath: if not keyconf: raise IncompatibleEnvironment("There is no 'ssl.key' configuration") if not pathutil.is_absolute_path(keyconf): keyconf = pathutil.pathjoin(basedir, keyconf) log.debug("ssl.key was a relative path, converted to '%s'" % keyconf) print keyconf if opts.forcenewssl: forcessl.run(basedir, opts.forcecapath, opts.forcecertpath, opts.forcekeypath, opts.forcehostname, log) except InvalidInput, e: msg = "\nProblem with input: %s" % e.msg print >>sys.stderr, msg return 1