def _drop_privileges(self):
""" Drop privileges with
:class:`cherrypy.process.plugins.DropPrivileges` """
DropPrivileges(cherrypy.engine,
uid=Bcfg2.Options.setup.daemon_uid,
gid=Bcfg2.Options.setup.daemon_gid,
umask=int(Bcfg2.Options.setup.umask, 8)).subscribe()
def _daemonize(self):
""" Drop privileges with
:class:`cherrypy.process.plugins.DropPrivileges`, daemonize
with :class:`cherrypy.process.plugins.Daemonizer`, and write a
PID file with :class:`cherrypy.process.plugins.PIDFile`. """
DropPrivileges(cherrypy.engine,
uid=self.setup['daemon_uid'],
gid=self.setup['daemon_gid'],
umask=int(self.setup['umask'], 8)).subscribe()
Daemonizer(cherrypy.engine).subscribe()
PIDFile(cherrypy.engine, self.setup['daemon']).subscribe()
return True
def _daemonize(self):
""" Drop privileges with
:class:`cherrypy.process.plugins.DropPrivileges`, daemonize
with :class:`cherrypy.process.plugins.Daemonizer`, and write a
PID file with :class:`cherrypy.process.plugins.PIDFile`. """
DropPrivileges(cherrypy.engine,
uid=Bcfg2.Options.setup.daemon_uid,
gid=Bcfg2.Options.setup.daemon_gid,
umask=int(Bcfg2.Options.setup.umask, 8)).subscribe()
Daemonizer(cherrypy.engine).subscribe()
PIDFile(cherrypy.engine, Bcfg2.Options.setup.daemon).subscribe()
return True
def daemonize(user, group, pidfile=None):
if os.name == 'posix' and os.getuid() == 0:
from cherrypy.process.plugins import DropPrivileges
import grp
import pwd
try:
uid = pwd.getpwnam(user)[2]
gid = grp.getgrnam(group)[2]
except KeyError:
cherrypy.log.error(
'Cannot find user `{0}` or group `{1}`'.format(user, group),
'DAEMONIZE',
logging.FATAL
)
raise
cherrypy.drop_privileges = DropPrivileges(
cherrypy.engine, uid=uid, gid=gid).subscribe()
from cherrypy.process.plugins import PIDFile, Daemonizer
if pidfile:
PIDFile(cherrypy.engine, pidfile).subscribe()
Daemonizer(cherrypy.engine).subscribe()
def configure(cfgfile):
with open_text(*_CONFIG_SPEC) as fh:
cfg = salmagundi.config.configure(cfgfile,
fh,
create_properties=False,
converters=_CONVERTERS)
_logging(cfg)
_storage_path(cfg)
_index_url(cfg)
_project_url(cfg)
_ssl(cfg)
host, port = cfg['server', 'host']
cherrypy.config.update({
'response.headers.Server': f'{PROG_NAME}/{__version__}',
'server.socket_host': host,
'server.socket_port': port,
'engine.autoreload.on': False,
'request.show_tracebacks': PYPP_DEBUG,
'request.show_mismatched_params': PYPP_DEBUG,
})
if PYPP_DEBUG:
cherrypy.engine.signal_handler.handlers['SIGUSR2'] =\
lambda: cherrypy.engine.restart()
if cfg['server', 'daemonize']:
Daemonizer(cherrypy.engine).subscribe()
cherrypy.engine.signal_handler.handlers['SIGUSR1'] = None
if os.getuid() == 0:
uid, gid = _user_group(cfg)
if uid:
DropPrivileges(cherrypy.engine, uid=uid, gid=gid).subscribe()
else:
cherrypy.log("running as 'root'", 'WARNING')
if cfg['server', 'pidfile']:
PIDFile(cherrypy.engine, cfg['server', 'pidfile']).subscribe()
rv = {opt: cfg['pypackproxy', opt] for opt in cfg.options('pypackproxy')}
rv['proxies'] = _proxies(cfg)
rv['user-agent'] = f'{PROG_NAME}/{__version__}'
return rv
def daemonize(self):
if not _daemon_conf.on:
return
if os.name == 'posix' and os.getuid() == 0:
from cherrypy.process.plugins import DropPrivileges
import grp, pwd
try:
uid = pwd.getpwnam(_daemon_conf.user)[2]
gid = grp.getgrnam(_daemon_conf.group)[2]
except KeyError:
cherrypy.log.error(
'Cannot find user "{0}" or group "{1}"'.format(
_daemon_conf.user, _daemon_conf.group), 'SERVER',
logging.FATAL)
raise
cherrypy.drop_privileges = DropPrivileges(cherrypy.engine,
uid=uid,
gid=gid).subscribe()
from cherrypy.process.plugins import PIDFile, Daemonizer
if _daemon_conf.pid_file:
PIDFile(cherrypy.engine, _daemon_conf.pid_file).subscribe()
Daemonizer(cherrypy.engine).subscribe()
help="Temporary directory",
type="str")
parser.add_option("-d",
"--daemon",
dest="daemon",
help="Daemonise? any value, false by default",
type="str")
(options, args) = parser.parse_args()
if options.port:
port = options.port
if options.host:
host = options.host
if daemon:
from cherrypy.process.plugins import Daemonizer, DropPrivileges, PIDFile
DropPrivileges(cherrypy.engine, uid=1000, gid=1000).subscribe()
Daemonizer(cherrypy.engine).subscribe()
class Site(object):
exposed = True
def GET(self):
return open(os.path.join(insiderer_dir, 'static/index.html'),
'r').read()
@cherrypy.tools.json_out()
def POST(self, **kwargs):
metadata_files = []
for key, postfiles in kwargs.items():
if not isinstance(postfiles, list):
format=
'%(asctime)s : %(levelname)s : %(module)s:%(lineno)d : %(funcName)s(%(threadName)s) : %(message)s',
level=logging.DEBUG)
logger.info("running %s", ' '.join(sys.argv))
program = os.path.basename(sys.argv[0])
# check and process input arguments
if len(sys.argv) < 2:
print globals()['__doc__'] % locals()
sys.exit(1)
conf_file = sys.argv[1]
config_srv = Config(
**cherrypy.lib.reprconf.Config(conf_file).get('global'))
config = Config(
**cherrypy.lib.reprconf.Config(conf_file).get('w2v_server'))
if config_srv.pid_file:
PIDFile(cherrypy.engine, config_srv.pid_file).subscribe()
if config_srv.run_user and config_srv.run_group:
logging.info("dropping priviledges to %s:%s" %
(config_srv.run_user, config_srv.run_group))
DropPrivileges(cherrypy.engine,
gid=config_srv.run_group,
uid=config_srv.run_user).subscribe()
cherrypy.quickstart(Server(config.MODEL_FILE), config=conf_file)
logger.info("finished running %s", program)
cherrypy.server.ssl_certificate_chain = Options().ssl_certificate_chain
if Options().daemon:
# Daemon info is logged by CherryPy
daemon = Daemonizer(cherrypy.engine)
daemon.subscribe()
else:
logger.info('Not running as daemon.')
# PID is logged by CherryPy
pid = PIDFile(cherrypy.engine, os.path.join(Options().run_dir, 'cherryblog.pid'))
pid.subscribe()
if Options().privileges:
# Privileges are logged by CherryPy
privileges = DropPrivileges(cherrypy.engine, uid=Options().uid, gid=Options().gid)
privileges.subscribe()
else:
logger.info('No user privileges specified.')
cherrypy.quickstart(Application(), config=settings)
###
#
# Version: 2.2.1
# Date: 2020-04-25
# Author: Yves Vindevogel (vindevoy)
#
# Fixes:
# - Urgent bug on the type of SSL to use
#
def serve(**kwargs):
"""
Spawn a new running Cherrypy process
usage: blubeberry serve [options]
options:
-h, --help show this help message and exit
-b BINDING, --bind BINDING the address and port to bind to.
[default: 127.0.0.1:8080]
-e ENVIRONMENT, --environment ENVIRONMENT apply the given config environment
-C ENV_VAR_NAME, --env-var ENV_VAR_NAME add the given config from environment variable name
[default: BLUEBERRYPY_CONFIG]
-f start a fastcgi server instead of the default HTTP
server
-s start a scgi server instead of the default HTTP
server
-d, --daemonize run the server as a daemon. [default: False]
-p, --drop-privilege drop privilege to separately specified umask, uid
and gid. [default: False]
-P PIDFILE, --pidfile PIDFILE store the process id in the given file
-u UID, --uid UID setuid to uid [default: www]
-g GID, --gid GID setgid to gid [default: www]
-m UMASK, --umask UMASK set umask [default: 022]
"""
config = BlueberryPyConfiguration(config_dir=kwargs.get('config_dir'),
env_var_name=kwargs.get('env_var'))
cpengine = cherrypy.engine
cpenviron = kwargs.get("environment")
if cpenviron:
config = BlueberryPyConfiguration(config_dir=kwargs.get('config_dir'),
env_var_name=kwargs.get('env_var'),
environment=cpenviron)
cherrypy.config.update({"environment": cpenviron})
if config.use_email and config.email_config:
from blueberrypy import email
email.configure(config.email_config)
if config.use_logging and config.logging_config:
from blueberrypy.plugins import LoggingPlugin
cpengine.logging = LoggingPlugin(cpengine, config=config.logging_config)
if config.use_redis:
from blueberrypy.session import RedisSession
cherrypy.lib.sessions.RedisSession = RedisSession
if config.use_sqlalchemy:
from blueberrypy.plugins import SQLAlchemyPlugin
cpengine.sqlalchemy = SQLAlchemyPlugin(cpengine,
config=config.sqlalchemy_config)
from blueberrypy.tools import SQLAlchemySessionTool
cherrypy.tools.orm_session = SQLAlchemySessionTool()
if config.use_jinja2:
if config.webassets_env:
configure_jinja2(assets_env=config.webassets_env,
**config.jinja2_config)
else:
configure_jinja2(**config.jinja2_config)
# update global config first, so subsequent command line options can
# override the settings in the config files
cherrypy.config.update(config.app_config)
if kwargs.get("bind"):
address, port = kwargs.get("bind").strip().split(":")
cherrypy.server.socket_host = address
cherrypy.server.socket_port = int(port)
if kwargs.get("daemonize"):
cherrypy.config.update({'log.screen': False})
Daemonizer(cpengine).subscribe()
if kwargs.get("drop_privilege"):
cherrypy.config.update({'engine.autoreload_on': False})
DropPrivileges(cpengine, umask=int(kwargs.get("umask")),
uid=kwargs.get("uid") or "www",
gid=kwargs.get("gid") or "www").subscribe()
if kwargs.get("pidfile"):
PIDFile(cpengine, kwargs.get("pidfile")).subscribe()
fastcgi, scgi = kwargs.get("fastcgi"), kwargs.get("scgi")
if fastcgi and scgi:
cherrypy.log.error("You may only specify one of the fastcgi and "
"scgi options.", 'ENGINE')
sys.exit(1)
elif fastcgi or scgi:
# Turn off autoreload when using *cgi.
cherrypy.config.update({'engine.autoreload_on': False})
# Turn off the default HTTP server (which is subscribed by default).
cherrypy.server.unsubscribe()
addr = cherrypy.server.bind_addr
if fastcgi:
f = servers.FlupFCGIServer(application=cherrypy.tree,
bindAddress=addr)
elif scgi:
f = servers.FlupSCGIServer(application=cherrypy.tree,
bindAddress=addr)
s = servers.ServerPlugin(cpengine, httpserver=f, bind_addr=addr)
s.subscribe()
if hasattr(cpengine, 'signal_handler'):
cpengine.signal_handler.subscribe()
# for win32 only
if hasattr(cpengine, "console_control_handler"):
cpengine.console_control_handler.subscribe()
# mount the controllers
for script_name, section in config.controllers_config.viewitems():
section = section.copy()
controller = section.pop("controller")
if isinstance(controller, cherrypy.dispatch.RoutesDispatcher):
routes_config = {'/': {"request.dispatch": controller}}
for path in section.viewkeys():
if path.strip() == '/':
routes_config['/'].update(section['/'])
else:
routes_config[path] = section[path].copy()
app_config = config.app_config.copy()
app_config.pop("controllers")
routes_config.update(app_config)
cherrypy.tree.mount(None, script_name=script_name,
config=routes_config)
else:
app_config = config.app_config.copy()
app_config.pop("controllers")
controller_config = section.copy()
controller_config.update(app_config)
cherrypy.tree.mount(controller(), script_name=script_name,
config=controller_config)
# Add the blueberrypy config files into CP's autoreload monitor
# Jinja2 templates are monitored by Jinja2 itself and will autoreload if
# needed
if config.config_file_paths:
for path in config.config_file_paths:
cpengine.autoreload.files.add(path)
try:
cpengine.start()
except:
sys.exit(1)
else:
cpengine.block()
return data
if __name__ == '__main__':
# Register the SQLAlchemy plugin
# Load configuration
# from Config.Config import connectUrl, cpconfig, base_url
from Config.Config import *
from sqlalchemy_plugin.saplugin import SAEnginePlugin
from cherrypy.process.plugins import DropPrivileges
# dr = DropPrivileges(cherrypy.engine, uid=1000, gid=1000)
dr = DropPrivileges(cherrypy.engine)
dr.subscribe()
from cherrypy.process.plugins import Daemonizer
d = Daemonizer(cherrypy.engine)
d.subscribe()
connectionString = ConnectionString()
# dr = DropPrivileges(cherrypy.engine, uid=1000, gid=1000)
# dr.subscribe()
# SAEnginePlugin(cherrypy.engine, connectUrl).subscribe()
SAEnginePlugin(cherrypy.engine, connectionString).subscribe()
# Register the SQLAlchemy tool
def run(self) -> None:
""" Starts the application """
#### Command Line Argument Parsing
parser = argparse.ArgumentParser(description='ARPOC')
parser.add_argument('-c', '--config-file')
parser.add_argument('--print-sample-config', action='store_true')
parser.add_argument('--print-sample-ac', action='store_true')
parser.add_argument('--add-provider')
parser.add_argument('--client-id')
parser.add_argument('--client-secret')
parser.add_argument('-d', '--daemonize', action='store_true')
parser.add_argument('--check-ac', action='store_true')
args = parser.parse_args()
config.cfg = config.OIDCProxyConfig(config_file=args.config_file)
self.config = config.cfg
assert self.config.proxy is not None
#### Read Configuration
if args.print_sample_config:
config.cfg.print_sample_config()
return
if args.print_sample_ac:
arpoc.ac.print_sample_ac()
return
self.setup_loggers()
#### Create secrets dir and change ownership (perm)
self.create_secrets_dir()
self.oidc_handler = OidcHandler(self.config)
if args.add_provider and args.client_id and args.client_secret:
# read secrets
secrets = self.read_secrets(self.config.proxy['secrets'])
provider_cfg = self.config.openid_providers[args.add_provider]
redirect_uris = provider_cfg.redirect_uris or self.config.proxy[
'redirect_uris']
# add secrets
secret_dict = {
"client_id": args.client_id,
"client_secret": args.client_secret,
"redirect_uris": args.redirect_uris
}
secrets[args.add_provider] = secret_dict
self.oidc_handler._secrets = secrets
self.oidc_handler.create_client_from_secrets(
args.add_provider, provider_cfg)
self.save_secrets()
return
#### Read AC Rules
for acl_dir in self.config.access_control['json_dir']:
ServiceProxy.ac.load_dir(acl_dir)
if args.check_ac:
ServiceProxy.ac.check()
return
if args.daemonize:
daemonizer = Daemonizer(cherrypy.engine)
daemonizer.subscribe()
# check if pid file exists
try:
with open(self.config.misc.pid_file) as pidfile:
pid = int(pidfile.read().strip())
try:
os.kill(pid, 0) # check if running
except OSError:
PIDFile(cherrypy.engine,
self.config.misc.pid_file).subscribe()
# not running
else:
# running
print("PID File %s exists" % self.config.misc.pid_file)
print("Another instance of arpoc seems to be running")
return
except FileNotFoundError:
PIDFile(cherrypy.engine, self.config.misc.pid_file).subscribe()
#### Setup OIDC Provider
cherrypy.engine.subscribe('start', self.setup_oidc_provider, 80)
cherrypy.engine.subscribe('stop', self.cancel_scheduler, 80)
cherrypy.engine.subscribe('stop', self.save_secrets, 80)
#### Setup Cherrypy
global_conf = {
'log.screen': False,
'log.access_file': '',
'log.error_file': '',
'server.socket_host': config.cfg.proxy['address'],
'server.socket_port': config.cfg.proxy['tls_port'],
'server.ssl_private_key': config.cfg.proxy['keyfile'],
'server.ssl_certificate': config.cfg.proxy['certfile'],
'engine.autoreload.on': False
}
cherrypy.config.update(global_conf)
app_conf = {
'/': {
'tools.sessions.on': True,
'request.dispatch': self.get_routes_dispatcher()
}
}
DropPrivileges(cherrypy.engine, uid=self.uid, gid=self.gid).subscribe()
#### Start Web Server
cherrypy.tree.mount(None, '/', app_conf)
if self.config.proxy['plain_port']:
server2 = cherrypy._cpserver.Server()
server2.socket_port = self.config.proxy['plain_port']
server2._socket_host = self.config.proxy['address']
server2.thread_pool = 30
server2.subscribe()
cherrypy.engine.start()
cherrypy.engine.block()
def _daemonize(self):
DropPrivileges(cherrypy.engine,
uid=self.setup['daemon_uid'],
gid=self.setup['daemon_gid']).subscribe()
Daemonizer(cherrypy.engine).subscribe()
PIDFile(cherrypy.engine, self.setup['daemon']).subscribe()