def db_acme_cert_issuance(store):
hostname = GLSettings.memory_copy.hostname
raw_accnt_key = PrivateFactory(store).get_val('acme_accnt_key')
accnt_key = serialization.load_pem_private_key(str(raw_accnt_key),
password=None,
backend=default_backend())
priv_key = PrivateFactory(store).get_val('https_priv_key')
regr_uri = PrivateFactory(store).get_val('acme_accnt_uri')
csr_fields = {'CN': hostname}
# NOTE sha256 is always employed as hash fnc here.
csr = tls.gen_x509_csr(priv_key, csr_fields, 256)
# Run ACME registration all the way to resolution
cert_str, chain_str = letsencrypt.run_acme_reg_to_finish(hostname,
regr_uri,
accnt_key,
priv_key,
csr,
tmp_chall_dict,
GLSettings.acme_directory_url)
PrivateFactory(store).set_val('https_cert', cert_str)
PrivateFactory(store).set_val('https_chain', chain_str)
def db_serialize(store):
prv_fact = PrivateFactory(store)
return {
'set': prv_fact.get_val('https_priv_key') != u'',
'gen': prv_fact.get_val('https_priv_gen')
}
def db_maybe_launch_https_workers(self, store):
privFact = PrivateFactory(store)
on = privFact.get_val(u'https_enabled')
if not on:
log.info("Not launching workers")
return defer.succeed(None)
site_cfgs = load_tls_dict_list(store)
valid_cfgs, err = [], None
# Determine which site_cfgs are valid and only pass those to the child.
for db_cfg in site_cfgs:
chnv = tls.ChainValidator()
ok, err = chnv.validate(db_cfg,
must_be_disabled=False,
check_expiration=False)
if ok and err is None:
valid_cfgs.append(db_cfg)
self.tls_cfg['site_cfgs'] = valid_cfgs
if not valid_cfgs:
log.info("Not launching https workers due to %s", err)
return defer.fail(err)
log.info("Decided to launch https workers")
return self.launch_https_workers()
def set_onion_service_info(store, hostname, key):
node_fact = NodeFactory(store)
node_fact.set_val(u'onionservice', hostname)
priv_fact = PrivateFactory(store)
priv_fact.set_val(u'tor_onion_key', key)
GLApiCache.invalidate()
def get_onion_service_info(store):
node_fact = NodeFactory(store)
hostname = node_fact.get_val(u'onionservice')
priv_fact = PrivateFactory(store)
key = priv_fact.get_val(u'tor_onion_key')
return hostname, key
def create_file(store, cls, raw_chain):
prv_fact = PrivateFactory(store)
db_cfg = load_tls_dict(store)
db_cfg['ssl_intermediate'] = raw_chain
cv = cls.validator()
ok, _ = cv.validate(db_cfg)
if ok:
prv_fact.set_val(u'https_chain', raw_chain)
return ok
def try_to_enable_https(store):
prv_fact = PrivateFactory(store)
cv = tls.ChainValidator()
db_cfg = load_tls_dict(store)
db_cfg['https_enabled'] = False
ok, err = cv.validate(db_cfg)
if ok:
prv_fact.set_val('https_enabled', True)
GLSettings.memory_copy.private.https_enabled = True
else:
raise err
def create_file(store, cls, raw_chain):
prv_fact = PrivateFactory(store)
db_cfg = load_tls_dict(store)
db_cfg['ssl_intermediate'] = raw_chain
cv = cls.validator()
ok, err = cv.validate(db_cfg)
if ok:
prv_fact.set_val('https_chain', raw_chain)
else:
log.debug('Chain validation failed')
return ok
def try_to_enable_https(store):
prv_fact = PrivateFactory(store)
cv = tls.ChainValidator()
db_cfg = load_tls_dict(store)
db_cfg['https_enabled'] = False
ok, err = cv.validate(db_cfg)
if ok:
prv_fact.set_val(u'https_enabled', True)
State.tenant_cache[1].private.https_enabled = True
else:
raise err
def create_file(store, cls, raw_cert):
prv_fact = PrivateFactory(store)
db_cfg = load_tls_dict(store)
db_cfg['ssl_cert'] = raw_cert
cv = cls.validator()
ok, err = cv.validate(db_cfg)
if ok:
prv_fact.set_val('https_cert', raw_cert)
else:
log.err("Cert validation failed")
return ok
def create_file(store, cls, raw_cert):
prv_fact = PrivateFactory(store)
db_cfg = load_tls_dict(store)
db_cfg['ssl_cert'] = raw_cert
cv = cls.validator()
ok, _ = cv.validate(db_cfg)
if ok:
prv_fact.set_val(u'https_cert', raw_cert)
State.tenant_cache[1].https_cert = raw_cert
return ok
def serialize_https_config_summary(store):
prv_fact = PrivateFactory(store)
file_summaries = {}
for key, file_res_cls in FileHandler.mapped_file_resources.items():
file_summaries[key] = file_res_cls.db_serialize(store)
return {
'enabled': prv_fact.get_val(u'https_enabled'),
'running': State.process_supervisor.is_running(),
'status': State.process_supervisor.get_status(),
'files': file_summaries,
'acme': prv_fact.get_val(u'acme')
}
def db_refresh_memory_variables(store):
"""
This routine loads in memory few variables of node and notification tables
that are subject to high usage.
"""
node_ro = ObjectDict(NodeFactory(store).admin_export())
GLSettings.memory_copy = node_ro
GLSettings.memory_copy.accept_tor2web_access = {
'admin': node_ro.tor2web_admin,
'custodian': node_ro.tor2web_custodian,
'whistleblower': node_ro.tor2web_whistleblower,
'receiver': node_ro.tor2web_receiver,
'unauth': node_ro.tor2web_unauth
}
enabled_langs = models.l10n.EnabledLanguage.list(store)
GLSettings.memory_copy.languages_enabled = enabled_langs
notif_ro = ObjectDict(NotificationFactory(store).admin_export())
GLSettings.memory_copy.notif = notif_ro
if GLSettings.developer_name:
GLSettings.memory_copy.notif.source_name = GLSettings.developer_name
if GLSettings.disable_mail_notification:
GLSettings.memory_copy.notif.disable_admin_notification_emails = True
GLSettings.memory_copy.notif.disable_custodian_notification_emails = True
GLSettings.memory_copy.notif.disable_receiver_notification_emails = True
GLSettings.memory_copy.private = ObjectDict(
PrivateFactory(store).mem_copy_export())
def db_serialize(store):
c = PrivateFactory(store).get_val('https_csr')
if len(c) == 0:
return {'name': 'csr', 'set': False}
return {
'name': 'csr',
'set': True,
}
def db_admin_serialize_node(store, language):
node_dict = NodeFactory(store).admin_export()
priv_dict = PrivateFactory(store)
# Contexts and Receivers relationship
configured = store.find(models.ReceiverContext).count() > 0
misc_dict = {
'version': priv_dict.get_val(u'version'),
'latest_version': priv_dict.get_val(u'latest_version'),
'languages_supported': LANGUAGES_SUPPORTED,
'languages_enabled': EnabledLanguage.list(store),
'configured': configured
}
l10n_dict = NodeL10NFactory(store).localized_dict(language)
return utils.sets.merge_dicts(node_dict, misc_dict, l10n_dict)
def evaluate_update_notification(store, latest_version):
priv_fact = PrivateFactory(store)
stored_latest = priv_fact.get_val(u'latest_version')
if V(stored_latest) < V(latest_version):
priv_fact.set_val(u'latest_version', latest_version)
for user_desc in db_get_admin_users(store):
lang = user_desc['language']
template_vars = {
'type': 'software_update_available',
'latest_version': latest_version,
'node': db_admin_serialize_node(store, lang),
'notification': db_get_notification(store, lang),
'user': user_desc,
}
format_and_send(store, user_desc, template_vars)
def db_perform_data_update(store):
prv = PrivateFactory(store)
stored_ver = prv.get_val('version')
t = (stored_ver, __version__)
# Catch all failures
if stored_ver != __version__:
prv.set_val('version', __version__)
appdata = db_update_appdata(store)
config.update_defaults(store)
l10n.update_defaults(store, appdata)
db_fix_fields_attrs(store)
ok = config.is_cfg_valid(store)
if not ok:
m = 'Error: the system is not stable, update failed from %s to %s' % t
raise DatabaseIntegrityError(m)
def db_perform_data_update(store):
prv = PrivateFactory(store)
stored_ver = prv.get_val('version')
t = (stored_ver, __version__)
if stored_ver != __version__:
prv.set_val('version', __version__)
# The below commands can change the current store based on the what is
# currently stored in the DB.
appdata = db_update_appdata(store)
l10n.update_defaults(store, appdata)
config.update_defaults(store)
db_fix_fields_attrs(store)
ok = config.is_cfg_valid(store)
if not ok:
m = 'Error: the system is not stable, update failed from %s to %s' % t
raise Exception(m)
def db_perform_data_update(store):
prv = PrivateFactory(store)
stored_ver = prv.get_val('version')
t = (stored_ver, __version__)
if stored_ver != __version__:
prv.set_val('version', __version__)
# The below commands can change the current store based on the what is
# currently stored in the DB.
appdata = db_update_appdata(store)
l10n.update_defaults(store, appdata)
config.update_defaults(store)
db_fix_fields_attrs(store)
ok = config.is_cfg_valid(store)
if not ok:
m = 'Error: the system is not stable, update failed from %s to %s' % t
raise Exception(m)
def create_file(store, cls):
log.info("Generating an ACME account key with %d bits" %
GLSettings.key_bits)
# NOTE key size is hard coded to align with minimum CA requirements
# TODO change format to OpenSSL key to normalize types of keys used
priv_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
log.debug("Saving the ACME key")
b = priv_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
PrivateFactory(store).set_val('acme', True)
PrivateFactory(store).set_val('acme_accnt_key', b)
return priv_key
def db_maybe_launch_https_workers(self, store):
privFact = PrivateFactory(store)
on = privFact.get_val('https_enabled')
if not on:
log.info("Not launching workers")
yield defer.succeed(None)
return
db_cfg = load_tls_dict(store)
self.tls_cfg.update(db_cfg)
chnv = tls.ChainValidator()
ok, err = chnv.validate(db_cfg, must_be_disabled=False)
if ok and err is None:
log.info("Decided to launch https workers")
yield self.launch_https_workers()
else:
log.info("Not launching https workers due to %s" % err)
yield defer.fail(err)
def _setUp(self, store):
valid_setup = test_tls.get_valid_setup()
prv_fact = PrivateFactory(store)
prv_fact.set_val(u'https_cert', valid_setup['cert'])
prv_fact.set_val(u'https_enabled', True)
db_refresh_memory_variables(store)
def db_serialize(store):
c = PrivateFactory(store).get_val('https_cert')
if len(c) == 0:
return {'name': 'cert', 'set': False}
x509 = crypto.load_certificate(FILETYPE_PEM, c)
expr_date = format_cert_expr_date(x509.get_notAfter())
return {
'name': 'cert',
'issuer': tls.parse_issuer_name(x509),
'expiration_date': datetime_to_ISO8601(expr_date),
'set': True,
}
def db_serialize(store):
c = PrivateFactory(store).get_val('https_chain')
if len(c) == 0:
return {'name': 'chain', 'set': False}
x509 = load_certificate(FILETYPE_PEM, c)
expr_date = format_cert_expr_date(x509.get_notAfter())
return {
'name': 'chain',
'issuer': x509.get_issuer().organizationName,
'expiration_date': datetime_to_ISO8601(expr_date),
'set': True,
}
def create_file(store, cls, raw_key):
db_cfg = load_tls_dict(store)
db_cfg['ssl_key'] = raw_key
prv_fact = PrivateFactory(store)
pkv = cls.validator()
ok, _ = pkv.validate(db_cfg)
if ok:
prv_fact.set_val(u'https_priv_key', raw_key)
prv_fact.set_val(u'https_priv_gen', False)
return ok
def update_notification(store, request, language):
notif = NotificationFactory(store)
notif.update(request)
smtp_pw = request.pop('smtp_password', u'')
if smtp_pw != u'':
PrivateFactory(store).set_val(u'smtp_password', smtp_pw)
notif_l10n = NotificationL10NFactory(store)
notif_l10n.update(request, language)
if request.pop('reset_templates'):
notif_l10n.reset_templates(load_appdata())
# Since the Notification object has been changed refresh the global copy.
db_refresh_memory_variables(store)
return admin_serialize_notification(store, language)
def db_admin_serialize_node(store, language):
node_dict = NodeFactory(store).admin_export()
# Contexts and Receivers relationship
configured = store.find(models.ReceiverContext).count() > 0
custom_homepage = os.path.isfile(os.path.join(GLSettings.static_path, "custom_homepage.html"))
misc_dict = {
'version': PrivateFactory(store).get_val('version'),
'languages_supported': LANGUAGES_SUPPORTED,
'languages_enabled': EnabledLanguage.list(store),
'configured': configured,
'custom_homepage': custom_homepage,
}
l10n_dict = NodeL10NFactory(store).localized_dict(language)
return utils.sets.disjoint_union(node_dict, misc_dict, l10n_dict)
def create_file(store, cls, raw_key):
db_cfg = load_tls_dict(store)
db_cfg['ssl_key'] = raw_key
prv_fact = PrivateFactory(store)
pkv = cls.validator()
ok, err = pkv.validate(db_cfg)
if ok:
prv_fact.set_val('https_priv_key', raw_key)
prv_fact.set_val('https_priv_gen', False)
else:
log.debug('Key validation failed')
return ok
def db_refresh_memory_variables(store):
"""
This routine loads in memory few variables of node and notification tables
that are subject to high usage.
"""
node_ro = ObjectDict(NodeFactory(store).admin_export())
GLSettings.memory_copy = node_ro
GLSettings.memory_copy.accept_tor2web_access = {
'admin': node_ro.tor2web_admin,
'custodian': node_ro.tor2web_custodian,
'whistleblower': node_ro.tor2web_whistleblower,
'receiver': node_ro.tor2web_receiver
}
enabled_langs = models.l10n.EnabledLanguage.list(store)
GLSettings.memory_copy.languages_enabled = enabled_langs
notif_fact = NotificationFactory(store)
notif_ro = ObjectDict(notif_fact.admin_export())
GLSettings.memory_copy.notif = notif_ro
if GLSettings.developer_name:
GLSettings.memory_copy.notif.source_name = GLSettings.developer_name
db_refresh_exception_delivery_list(store)
GLSettings.memory_copy.private = ObjectDict(
PrivateFactory(store).mem_copy_export())
if GLSettings.memory_copy.private.admin_api_token_digest != '':
api_id = store.find(User.id, User.role == u'admin').order_by(
User.creation_date).first()
if api_id is not None:
GLSettings.appstate.api_token_session = GLSession(
api_id, 'admin', 'enabled')
def toggle_https(store, enabled):
PrivateFactory(store).set_val('https_enabled', enabled)
def set_api_digest(store, s):
PrivateFactory(store).set_val('admin_api_token_digest', s)
