def db_acme_cert_issuance(store): hostname = GLSettings.memory_copy.hostname raw_accnt_key = PrivateFactory(store).get_val('acme_accnt_key') accnt_key = serialization.load_pem_private_key(str(raw_accnt_key), password=None, backend=default_backend()) priv_key = PrivateFactory(store).get_val('https_priv_key') regr_uri = PrivateFactory(store).get_val('acme_accnt_uri') csr_fields = {'CN': hostname} # NOTE sha256 is always employed as hash fnc here. csr = tls.gen_x509_csr(priv_key, csr_fields, 256) # Run ACME registration all the way to resolution cert_str, chain_str = letsencrypt.run_acme_reg_to_finish(hostname, regr_uri, accnt_key, priv_key, csr, tmp_chall_dict, GLSettings.acme_directory_url) PrivateFactory(store).set_val('https_cert', cert_str) PrivateFactory(store).set_val('https_chain', chain_str)
def db_serialize(store): prv_fact = PrivateFactory(store) return { 'set': prv_fact.get_val('https_priv_key') != u'', 'gen': prv_fact.get_val('https_priv_gen') }
def db_maybe_launch_https_workers(self, store): privFact = PrivateFactory(store) on = privFact.get_val(u'https_enabled') if not on: log.info("Not launching workers") return defer.succeed(None) site_cfgs = load_tls_dict_list(store) valid_cfgs, err = [], None # Determine which site_cfgs are valid and only pass those to the child. for db_cfg in site_cfgs: chnv = tls.ChainValidator() ok, err = chnv.validate(db_cfg, must_be_disabled=False, check_expiration=False) if ok and err is None: valid_cfgs.append(db_cfg) self.tls_cfg['site_cfgs'] = valid_cfgs if not valid_cfgs: log.info("Not launching https workers due to %s", err) return defer.fail(err) log.info("Decided to launch https workers") return self.launch_https_workers()
def set_onion_service_info(store, hostname, key): node_fact = NodeFactory(store) node_fact.set_val(u'onionservice', hostname) priv_fact = PrivateFactory(store) priv_fact.set_val(u'tor_onion_key', key) GLApiCache.invalidate()
def get_onion_service_info(store): node_fact = NodeFactory(store) hostname = node_fact.get_val(u'onionservice') priv_fact = PrivateFactory(store) key = priv_fact.get_val(u'tor_onion_key') return hostname, key
def create_file(store, cls, raw_chain): prv_fact = PrivateFactory(store) db_cfg = load_tls_dict(store) db_cfg['ssl_intermediate'] = raw_chain cv = cls.validator() ok, _ = cv.validate(db_cfg) if ok: prv_fact.set_val(u'https_chain', raw_chain) return ok
def try_to_enable_https(store): prv_fact = PrivateFactory(store) cv = tls.ChainValidator() db_cfg = load_tls_dict(store) db_cfg['https_enabled'] = False ok, err = cv.validate(db_cfg) if ok: prv_fact.set_val('https_enabled', True) GLSettings.memory_copy.private.https_enabled = True else: raise err
def create_file(store, cls, raw_chain): prv_fact = PrivateFactory(store) db_cfg = load_tls_dict(store) db_cfg['ssl_intermediate'] = raw_chain cv = cls.validator() ok, err = cv.validate(db_cfg) if ok: prv_fact.set_val('https_chain', raw_chain) else: log.debug('Chain validation failed') return ok
def try_to_enable_https(store): prv_fact = PrivateFactory(store) cv = tls.ChainValidator() db_cfg = load_tls_dict(store) db_cfg['https_enabled'] = False ok, err = cv.validate(db_cfg) if ok: prv_fact.set_val(u'https_enabled', True) State.tenant_cache[1].private.https_enabled = True else: raise err
def create_file(store, cls, raw_cert): prv_fact = PrivateFactory(store) db_cfg = load_tls_dict(store) db_cfg['ssl_cert'] = raw_cert cv = cls.validator() ok, err = cv.validate(db_cfg) if ok: prv_fact.set_val('https_cert', raw_cert) else: log.err("Cert validation failed") return ok
def create_file(store, cls, raw_cert): prv_fact = PrivateFactory(store) db_cfg = load_tls_dict(store) db_cfg['ssl_cert'] = raw_cert cv = cls.validator() ok, _ = cv.validate(db_cfg) if ok: prv_fact.set_val(u'https_cert', raw_cert) State.tenant_cache[1].https_cert = raw_cert return ok
def serialize_https_config_summary(store): prv_fact = PrivateFactory(store) file_summaries = {} for key, file_res_cls in FileHandler.mapped_file_resources.items(): file_summaries[key] = file_res_cls.db_serialize(store) return { 'enabled': prv_fact.get_val(u'https_enabled'), 'running': State.process_supervisor.is_running(), 'status': State.process_supervisor.get_status(), 'files': file_summaries, 'acme': prv_fact.get_val(u'acme') }
def db_refresh_memory_variables(store): """ This routine loads in memory few variables of node and notification tables that are subject to high usage. """ node_ro = ObjectDict(NodeFactory(store).admin_export()) GLSettings.memory_copy = node_ro GLSettings.memory_copy.accept_tor2web_access = { 'admin': node_ro.tor2web_admin, 'custodian': node_ro.tor2web_custodian, 'whistleblower': node_ro.tor2web_whistleblower, 'receiver': node_ro.tor2web_receiver, 'unauth': node_ro.tor2web_unauth } enabled_langs = models.l10n.EnabledLanguage.list(store) GLSettings.memory_copy.languages_enabled = enabled_langs notif_ro = ObjectDict(NotificationFactory(store).admin_export()) GLSettings.memory_copy.notif = notif_ro if GLSettings.developer_name: GLSettings.memory_copy.notif.source_name = GLSettings.developer_name if GLSettings.disable_mail_notification: GLSettings.memory_copy.notif.disable_admin_notification_emails = True GLSettings.memory_copy.notif.disable_custodian_notification_emails = True GLSettings.memory_copy.notif.disable_receiver_notification_emails = True GLSettings.memory_copy.private = ObjectDict( PrivateFactory(store).mem_copy_export())
def db_serialize(store): c = PrivateFactory(store).get_val('https_csr') if len(c) == 0: return {'name': 'csr', 'set': False} return { 'name': 'csr', 'set': True, }
def db_admin_serialize_node(store, language): node_dict = NodeFactory(store).admin_export() priv_dict = PrivateFactory(store) # Contexts and Receivers relationship configured = store.find(models.ReceiverContext).count() > 0 misc_dict = { 'version': priv_dict.get_val(u'version'), 'latest_version': priv_dict.get_val(u'latest_version'), 'languages_supported': LANGUAGES_SUPPORTED, 'languages_enabled': EnabledLanguage.list(store), 'configured': configured } l10n_dict = NodeL10NFactory(store).localized_dict(language) return utils.sets.merge_dicts(node_dict, misc_dict, l10n_dict)
def evaluate_update_notification(store, latest_version): priv_fact = PrivateFactory(store) stored_latest = priv_fact.get_val(u'latest_version') if V(stored_latest) < V(latest_version): priv_fact.set_val(u'latest_version', latest_version) for user_desc in db_get_admin_users(store): lang = user_desc['language'] template_vars = { 'type': 'software_update_available', 'latest_version': latest_version, 'node': db_admin_serialize_node(store, lang), 'notification': db_get_notification(store, lang), 'user': user_desc, } format_and_send(store, user_desc, template_vars)
def db_perform_data_update(store): prv = PrivateFactory(store) stored_ver = prv.get_val('version') t = (stored_ver, __version__) # Catch all failures if stored_ver != __version__: prv.set_val('version', __version__) appdata = db_update_appdata(store) config.update_defaults(store) l10n.update_defaults(store, appdata) db_fix_fields_attrs(store) ok = config.is_cfg_valid(store) if not ok: m = 'Error: the system is not stable, update failed from %s to %s' % t raise DatabaseIntegrityError(m)
def db_perform_data_update(store): prv = PrivateFactory(store) stored_ver = prv.get_val('version') t = (stored_ver, __version__) if stored_ver != __version__: prv.set_val('version', __version__) # The below commands can change the current store based on the what is # currently stored in the DB. appdata = db_update_appdata(store) l10n.update_defaults(store, appdata) config.update_defaults(store) db_fix_fields_attrs(store) ok = config.is_cfg_valid(store) if not ok: m = 'Error: the system is not stable, update failed from %s to %s' % t raise Exception(m)
def create_file(store, cls): log.info("Generating an ACME account key with %d bits" % GLSettings.key_bits) # NOTE key size is hard coded to align with minimum CA requirements # TODO change format to OpenSSL key to normalize types of keys used priv_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) log.debug("Saving the ACME key") b = priv_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption(), ) PrivateFactory(store).set_val('acme', True) PrivateFactory(store).set_val('acme_accnt_key', b) return priv_key
def db_maybe_launch_https_workers(self, store): privFact = PrivateFactory(store) on = privFact.get_val('https_enabled') if not on: log.info("Not launching workers") yield defer.succeed(None) return db_cfg = load_tls_dict(store) self.tls_cfg.update(db_cfg) chnv = tls.ChainValidator() ok, err = chnv.validate(db_cfg, must_be_disabled=False) if ok and err is None: log.info("Decided to launch https workers") yield self.launch_https_workers() else: log.info("Not launching https workers due to %s" % err) yield defer.fail(err)
def _setUp(self, store): valid_setup = test_tls.get_valid_setup() prv_fact = PrivateFactory(store) prv_fact.set_val(u'https_cert', valid_setup['cert']) prv_fact.set_val(u'https_enabled', True) db_refresh_memory_variables(store)
def db_serialize(store): c = PrivateFactory(store).get_val('https_cert') if len(c) == 0: return {'name': 'cert', 'set': False} x509 = crypto.load_certificate(FILETYPE_PEM, c) expr_date = format_cert_expr_date(x509.get_notAfter()) return { 'name': 'cert', 'issuer': tls.parse_issuer_name(x509), 'expiration_date': datetime_to_ISO8601(expr_date), 'set': True, }
def db_serialize(store): c = PrivateFactory(store).get_val('https_chain') if len(c) == 0: return {'name': 'chain', 'set': False} x509 = load_certificate(FILETYPE_PEM, c) expr_date = format_cert_expr_date(x509.get_notAfter()) return { 'name': 'chain', 'issuer': x509.get_issuer().organizationName, 'expiration_date': datetime_to_ISO8601(expr_date), 'set': True, }
def create_file(store, cls, raw_key): db_cfg = load_tls_dict(store) db_cfg['ssl_key'] = raw_key prv_fact = PrivateFactory(store) pkv = cls.validator() ok, _ = pkv.validate(db_cfg) if ok: prv_fact.set_val(u'https_priv_key', raw_key) prv_fact.set_val(u'https_priv_gen', False) return ok
def update_notification(store, request, language): notif = NotificationFactory(store) notif.update(request) smtp_pw = request.pop('smtp_password', u'') if smtp_pw != u'': PrivateFactory(store).set_val(u'smtp_password', smtp_pw) notif_l10n = NotificationL10NFactory(store) notif_l10n.update(request, language) if request.pop('reset_templates'): notif_l10n.reset_templates(load_appdata()) # Since the Notification object has been changed refresh the global copy. db_refresh_memory_variables(store) return admin_serialize_notification(store, language)
def db_admin_serialize_node(store, language): node_dict = NodeFactory(store).admin_export() # Contexts and Receivers relationship configured = store.find(models.ReceiverContext).count() > 0 custom_homepage = os.path.isfile(os.path.join(GLSettings.static_path, "custom_homepage.html")) misc_dict = { 'version': PrivateFactory(store).get_val('version'), 'languages_supported': LANGUAGES_SUPPORTED, 'languages_enabled': EnabledLanguage.list(store), 'configured': configured, 'custom_homepage': custom_homepage, } l10n_dict = NodeL10NFactory(store).localized_dict(language) return utils.sets.disjoint_union(node_dict, misc_dict, l10n_dict)
def create_file(store, cls, raw_key): db_cfg = load_tls_dict(store) db_cfg['ssl_key'] = raw_key prv_fact = PrivateFactory(store) pkv = cls.validator() ok, err = pkv.validate(db_cfg) if ok: prv_fact.set_val('https_priv_key', raw_key) prv_fact.set_val('https_priv_gen', False) else: log.debug('Key validation failed') return ok
def db_refresh_memory_variables(store): """ This routine loads in memory few variables of node and notification tables that are subject to high usage. """ node_ro = ObjectDict(NodeFactory(store).admin_export()) GLSettings.memory_copy = node_ro GLSettings.memory_copy.accept_tor2web_access = { 'admin': node_ro.tor2web_admin, 'custodian': node_ro.tor2web_custodian, 'whistleblower': node_ro.tor2web_whistleblower, 'receiver': node_ro.tor2web_receiver } enabled_langs = models.l10n.EnabledLanguage.list(store) GLSettings.memory_copy.languages_enabled = enabled_langs notif_fact = NotificationFactory(store) notif_ro = ObjectDict(notif_fact.admin_export()) GLSettings.memory_copy.notif = notif_ro if GLSettings.developer_name: GLSettings.memory_copy.notif.source_name = GLSettings.developer_name db_refresh_exception_delivery_list(store) GLSettings.memory_copy.private = ObjectDict( PrivateFactory(store).mem_copy_export()) if GLSettings.memory_copy.private.admin_api_token_digest != '': api_id = store.find(User.id, User.role == u'admin').order_by( User.creation_date).first() if api_id is not None: GLSettings.appstate.api_token_session = GLSession( api_id, 'admin', 'enabled')
def toggle_https(store, enabled): PrivateFactory(store).set_val('https_enabled', enabled)
def set_api_digest(store, s): PrivateFactory(store).set_val('admin_api_token_digest', s)